From 63b935927ab8935323e52a1f4ea0d0facacf02ad Mon Sep 17 00:00:00 2001
From: Deimos <deimos@tildes.net>
Date: Fri, 20 Sep 2019 15:23:46 -0600
Subject: [PATCH] Add frame-src to CSP for Stripe

The Stripe Checkout redirect was getting blocked by the Content Security
Policy, and requires being allowed through frame-src like this.
---
 salt/salt/nginx/tildes.conf.jinja2 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/salt/nginx/tildes.conf.jinja2 b/salt/salt/nginx/tildes.conf.jinja2
index e7021ca..d6bb8d7 100644
--- a/salt/salt/nginx/tildes.conf.jinja2
+++ b/salt/salt/nginx/tildes.conf.jinja2
@@ -32,8 +32,8 @@ server {
 
       # Content Security Policy:
       #   - "img-src data:" is needed for Spectre.css icons
-      #   - "script-src https://js.stripe.com" is needed for Stripe donation page
-      add_header Content-Security-Policy "default-src 'none'; script-src 'self' https://js.stripe.com; style-src 'self'; img-src 'self' data:; connect-src 'self'; manifest-src 'self'; form-action 'self'; frame-ancestors 'none'; base-uri 'none'" always;
+      #   - "https://js.stripe.com" in script-src and frame-src is needed for Stripe
+      add_header Content-Security-Policy "default-src 'none'; script-src 'self' https://js.stripe.com; style-src 'self'; img-src 'self' data:; connect-src 'self'; manifest-src 'self'; frame-src 'self' https://js.stripe.com; form-action 'self'; frame-ancestors 'none'; base-uri 'none'" always;
     {% endif %}
 
     add_header X-Content-Type-Options "nosniff" always;