jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(csp): allow secure.helcim.app for HelcimPay.js
Some checks failed
Test / vitest (push) Successful in 11m5s
Details
Test / playwright (push) Failing after 9m24s
Details
Test / visual (push) Failing after 9m20s
Details
Test / Notify on failure (push) Successful in 3s
Details

Browse source 
The HelcimPay modal loads from secure.helcim.app, but the CSP only
listed myposjs.helcim.com (script/connect) and secure.helcim.com
(frame, likely a stale typo). Add secure.helcim.app to script-src,
connect-src, and frame-src so the join flow's payment modal can load.
This commit is contained in:
Jennie Robinson Faber 2026-04-26 15:59:02 +01:00
parent 210a8d588f
commit e3410c52a5
2 changed files with 4 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

2
tests/server/middleware/security-headers.test.js
View file

@ -86,7 +86,7 @@ describe('security-headers middleware', () => {
const csp = event._testSetHeaders['content-security-policy']
expect(csp).toContain('myposjs.helcim.com')
expect(csp).toContain('api.helcim.com')
expect(csp).toContain('secure.helcim.com')
expect(csp).toContain('secure.helcim.app')
})
it('includes Cloudinary sources in CSP', () => {