liberal csp for spreadshirt

2018-05-07 19:42:35 +02:00 · 2018-05-07 19:42:35 +02:00 · 68e1ea8c40
parent 39e65f16eb
commit 68e1ea8c40
2 changed files with 13 additions and 2 deletions
--- a/app/views/site/swag.scala.html
+++ b/app/views/site/swag.scala.html
@ -13,7 +13,8 @@ title = "Lichess Swag",
 openGraph = lila.app.ui.OpenGraph(
 title = "Lichess merch store",
 description = "Great chess deserves great T-shirts! Get yourself some swag and help pay for the servers.",
-url = s"$netBaseUrl${routes.Page.swag}").some) {
+url = s"$netBaseUrl${routes.Page.swag}").some,
+csp = defaultCsp.withSpreadshirt.some) {

 <div class="content_box swag no_padding">
  <div id="myShop">
@ -27,7 +28,7 @@ url = s"$netBaseUrl${routes.Page.swag}").some) {
    var spread_shop_config = {
      shopName: 'lichess-org',
        locale: 'us_US',
-        prefix: '//shop.spreadshirt.com',
+        prefix: 'https://shop.spreadshirt.com',
        baseId: 'myShop'
    };
  }
--- a/modules/common/src/main/ContentSecurityPolicy.scala
+++ b/modules/common/src/main/ContentSecurityPolicy.scala
@ -20,6 +20,16 @@ case class ContentSecurityPolicy(
    childSrc = "https://*.stripe.com" :: childSrc
  )

+  def withSpreadshirt = copy(
+    defaultSrc = Nil,
+    connectSrc = "https://shop.spreadshirt.com" :: "https://api.spreadshirt.com" :: connectSrc,
+    styleSrc = Nil,
+    fontSrc = Nil,
+    childSrc = Nil,
+    imgSrc = Nil,
+    scriptSrc = Nil
+  )
+
  override def toString: String =
    List(
      "default-src " -> defaultSrc,