From 8cb4c92f74313b33ddb99d629c010cba080e7ced Mon Sep 17 00:00:00 2001 From: Roman Zimmermann Date: Wed, 6 Nov 2024 07:41:40 +0100 Subject: [PATCH 1/2] feat: Implement hook_d7csp_hosts() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Scripts and iframes are inserted by the JS that’s initially loaded, those need explicit allowlisting (because the script doesn’t forward nonces). --- stripe_payment.module | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/stripe_payment.module b/stripe_payment.module index fd70b2d..541c4ac 100644 --- a/stripe_payment.module +++ b/stripe_payment.module @@ -436,3 +436,12 @@ function _stripe_payment_validate_comma_separated_keys($element, &$form_state, $ $keys = array_map('trim', explode(',', $element['#value'])); form_set_value($element, $keys, $form_state); } + +/** + * Implements hook_d7csp_hosts(). + */ +function stripe_payment_d7csp_hosts() { + $hosts['frame-src'][] = 'https://js.stripe.com'; + $hosts['script-src'][] = 'https://js.stripe.com'; + return $hosts; +} From 77ecd9156665b294f8c2f46e8ff87c78017cd35c Mon Sep 17 00:00:00 2001 From: Roman Zimmermann Date: Thu, 14 Nov 2024 10:39:54 +0100 Subject: [PATCH 2/2] feat(d7csp): Allow all iframes as 3DS iframes are bank specific --- stripe_payment.module | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/stripe_payment.module b/stripe_payment.module index 541c4ac..415187f 100644 --- a/stripe_payment.module +++ b/stripe_payment.module @@ -441,7 +441,9 @@ function _stripe_payment_validate_comma_separated_keys($element, &$form_state, $ * Implements hook_d7csp_hosts(). */ function stripe_payment_d7csp_hosts() { - $hosts['frame-src'][] = 'https://js.stripe.com'; $hosts['script-src'][] = 'https://js.stripe.com'; + // Likely needed for 3DS iframes. Those are provided by the banks. + $hosts['frame-src'][] = '*'; + $hosts['form-action'][] = '*'; return $hosts; }