From 38c43d3f27c443d394c9e59492e843621e181351 Mon Sep 17 00:00:00 2001 From: poduck Date: Thu, 27 Nov 2025 12:39:17 -0500 Subject: [PATCH] Relax CSP settings in local.py to fix Stripe Connect issues - Convert CSP settings to lists - Add 'unsafe-eval' and 'unsafe-inline' to script-src - Add 'blob:' to default-src as fallback - Update connect-src to include Stripe domains --- smoothschedule/config/settings/local.py | 26 ++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/smoothschedule/config/settings/local.py b/smoothschedule/config/settings/local.py index 196a109..fa163bc 100644 --- a/smoothschedule/config/settings/local.py +++ b/smoothschedule/config/settings/local.py @@ -6,37 +6,41 @@ from .multitenancy import env, INSTALLED_APPS, MIDDLEWARE # CONTENT SECURITY POLICY (CSP) # Explicitly imported/re-defined here to ensure they are active in local dev # ============================================================================= -CSP_DEFAULT_SRC = ("'self'",) -CSP_SCRIPT_SRC = ( +CSP_DEFAULT_SRC = ["'self'", "blob:", "data:"] +CSP_SCRIPT_SRC = [ "'self'", + "'unsafe-inline'", + "'unsafe-eval'", "https://js.stripe.com", "https://connect-js.stripe.com", "https://www.googletagmanager.com", "https://www.google-analytics.com", "blob:", # Required for Stripe -) -CSP_STYLE_SRC = ( +] +CSP_STYLE_SRC = [ "'self'", "'unsafe-inline'", # Required for Stripe and many UI libraries -) -CSP_IMG_SRC = ( + "https://fonts.googleapis.com", +] +CSP_IMG_SRC = [ "'self'", "data:", "https://*.stripe.com", "https://www.google-analytics.com", -) -CSP_CONNECT_SRC = ( +] +CSP_CONNECT_SRC = [ "'self'", "https://api.stripe.com", + "https://connect-js.stripe.com", "https://www.google-analytics.com", "https://stats.g.doubleclick.net", -) -CSP_FRAME_SRC = ( +] +CSP_FRAME_SRC = [ "'self'", "https://js.stripe.com", "https://hooks.stripe.com", "https://connect-js.stripe.com", -) +] # GENERAL