tenseleyflow/shithub / 00cf2d6

Browse files

middleware/secure: allow Stripe checkout + portal in form-action

Authored by mfwolffe <wolffemf@dukes.jmu.edu>
SHA
00cf2d6a290e989add3d235d63bb730cdae3ae8e
Parents
b03b58d
Tree
ba909b4

1 changed file

StatusFile+-
M internal/web/middleware/secure.go 8 1
internal/web/middleware/secure.gomodified
@@ -24,6 +24,13 @@ func DefaultSecureHeaders() SecureHeadersConfig {
2424
 		// Permit Primer CSS's inline style attributes (it uses them
2525
 		// liberally) and our own first-party scripts. S35 evaluates moving
2626
 		// to nonces / strict-dynamic.
27
+		//
28
+		// form-action allows Stripe's hosted Checkout and Customer billing
29
+		// portal hosts so the POST→303→Stripe redirect chain isn't blocked
30
+		// by browsers that enforce form-action across redirects (Safari,
31
+		// recent Chromium). Without those entries Safari aborts the
32
+		// redirect from /settings/billing/checkout to checkout.stripe.com
33
+		// with no visible error.
2734
 		CSP: "default-src 'self'; " +
2835
 			"img-src 'self' data: https:; " +
2936
 			"style-src 'self' 'unsafe-inline'; " +
@@ -31,7 +38,7 @@ func DefaultSecureHeaders() SecureHeadersConfig {
3138
 			"font-src 'self' data:; " +
3239
 			"connect-src 'self'; " +
3340
 			"frame-ancestors 'none'; " +
34
-			"form-action 'self'; " +
41
+			"form-action 'self' https://checkout.stripe.com https://billing.stripe.com; " +
3542
 			"base-uri 'self'; " +
3643
 			"object-src 'none'",
3744
 		HSTS:            "max-age=31536000; includeSubDomains",