Jennie Robinson Faber
e3410c52a5
The HelcimPay modal loads from secure.helcim.app, but the CSP only listed myposjs.helcim.com (script/connect) and secure.helcim.com (frame, likely a stale typo). Add secure.helcim.app to script-src, connect-src, and frame-src so the join flow's payment modal can load.
35 lines
1.4 KiB
JavaScript
35 lines
1.4 KiB
JavaScript
export default defineEventHandler((event) => {
|
|
const path = getRequestURL(event).pathname
|
|
|
|
const headers = {
|
|
'X-Content-Type-Options': 'nosniff',
|
|
'X-Frame-Options': 'DENY',
|
|
'X-XSS-Protection': '0',
|
|
'Referrer-Policy': 'strict-origin-when-cross-origin',
|
|
'Permissions-Policy': 'camera=(), microphone=(), geolocation=()',
|
|
}
|
|
|
|
if (process.env.NODE_ENV === 'production') {
|
|
headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'
|
|
|
|
// Skip CSP for OIDC routes — they serve self-contained HTML
|
|
// rendered by oidc-provider with its own form actions
|
|
if (!path.startsWith('/oidc/')) {
|
|
headers['Content-Security-Policy'] = [
|
|
"default-src 'self'",
|
|
"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://myposjs.helcim.com https://secure.helcim.app https://plausible.io",
|
|
"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
|
|
"img-src 'self' data: https://res.cloudinary.com https://*.cloudinary.com",
|
|
"font-src 'self' https://fonts.gstatic.com",
|
|
"connect-src 'self' https://api.helcim.com https://myposjs.helcim.com https://secure.helcim.app https://plausible.io",
|
|
"frame-src 'self' https://myposjs.helcim.com https://secure.helcim.app",
|
|
"base-uri 'self'",
|
|
"form-action 'self'",
|
|
].join('; ')
|
|
}
|
|
}
|
|
|
|
for (const [key, value] of Object.entries(headers)) {
|
|
setHeader(event, key, value)
|
|
}
|
|
})
|