From 8cb4c92f74313b33ddb99d629c010cba080e7ced Mon Sep 17 00:00:00 2001
From: Roman Zimmermann <roman@more-onion.com>
Date: Wed, 6 Nov 2024 07:41:40 +0100
Subject: [PATCH 1/2] feat: Implement hook_d7csp_hosts()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Scripts and iframes are inserted by the JS that’s initially loaded,
those need explicit allowlisting (because the script doesn’t forward
nonces).
---
 stripe_payment.module | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/stripe_payment.module b/stripe_payment.module
index fd70b2d..541c4ac 100644
--- a/stripe_payment.module
+++ b/stripe_payment.module
@@ -436,3 +436,12 @@ function _stripe_payment_validate_comma_separated_keys($element, &$form_state, $
   $keys = array_map('trim', explode(',', $element['#value']));
   form_set_value($element, $keys, $form_state);
 }
+
+/**
+ * Implements hook_d7csp_hosts().
+ */
+function stripe_payment_d7csp_hosts() {
+  $hosts['frame-src'][] = 'https://js.stripe.com';
+  $hosts['script-src'][] = 'https://js.stripe.com';
+  return $hosts;
+}

From 77ecd9156665b294f8c2f46e8ff87c78017cd35c Mon Sep 17 00:00:00 2001
From: Roman Zimmermann <roman@more-onion.com>
Date: Thu, 14 Nov 2024 10:39:54 +0100
Subject: [PATCH 2/2] feat(d7csp): Allow all iframes as 3DS iframes are bank
 specific

---
 stripe_payment.module | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/stripe_payment.module b/stripe_payment.module
index 541c4ac..415187f 100644
--- a/stripe_payment.module
+++ b/stripe_payment.module
@@ -441,7 +441,9 @@ function _stripe_payment_validate_comma_separated_keys($element, &$form_state, $
  * Implements hook_d7csp_hosts().
  */
 function stripe_payment_d7csp_hosts() {
-  $hosts['frame-src'][] = 'https://js.stripe.com';
   $hosts['script-src'][] = 'https://js.stripe.com';
+  // Likely needed for 3DS iframes. Those are provided by the banks.
+  $hosts['frame-src'][] = '*';
+  $hosts['form-action'][] = '*';
   return $hosts;
 }