fix csp on strip checkout page

app/templating/AssetHelper.scala

@@ -103,7 +103,7 @@ trait AssetHelper { self: I18nHelper =>
 
   def defaultCsp(implicit ctx: Context): ContentSecurityPolicy = {
     implicit val req = ctx.req
-    basicCsp.withScriptSrc(ctx.nonce.scriptSrc)
+    basicCsp.withNonce(ctx.nonce)
   }
 
   def embedJsUnsafe(js: String)(implicit ctx: Context): Html = Html {

app/views/base/layout.scala.html

@@ -15,7 +15,7 @@ atom: Option[Html] = None,
 chessground: Boolean = true,
 zoomable: Boolean = false,
 asyncJs: Boolean = false,
-csp: Option[String] = None)(body: Html)(implicit ctx: Context)
+csp: Option[lila.common.ContentSecurityPolicy] = None)(body: Html)(implicit ctx: Context)
 <!doctype html>
 <html lang="@lang.language">
   <!-- Lichess is open source! See https://github.com/ornicar/lila -->

app/views/plan/index.scala.html

@@ -29,7 +29,8 @@ moreJs = moreJs,
 openGraph = lila.app.ui.OpenGraph(
 title = title,
 url = s"$netBaseUrl${routes.Plan.index.url}",
-description = "Free chess for everyone, forever!").some) {
+description = "Free chess for everyone, forever!").some,
+csp = defaultCsp.withStripe.some) {
 <div class="content_box no_padding plan">
   @patron.ifTrue(ctx.me.??(_.isPatron)).map { p =>
   <div class="banner one_time_active">

modules/common/src/main/ContentSecurityPolicy.scala

@@ -10,7 +10,15 @@ case class ContentSecurityPolicy(
     scriptSrc: List[String]
 ) {
 
-  def withScriptSrc(source: String) = copy(scriptSrc = source :: scriptSrc)
+  private def withScriptSrc(source: String) = copy(scriptSrc = source :: scriptSrc)
+
+  def withNonce(nonce: Nonce) = withScriptSrc(nonce.scriptSrc)
+
+  def withStripe = copy(
+    connectSrc = "https://*.stripe.com" :: connectSrc,
+    scriptSrc = "https://*.stripe.com" :: scriptSrc,
+    childSrc = "https://*.stripe.com" :: childSrc
+  )
 
   override def toString: String =
     List(