Crowdfund: Add CSP rules for Disqus

Fixes #4572.
2025-12-29 03:44:27 +01:00 · 2023-01-31 22:13:45 +01:00
parent a3edd829a6
commit 24c19efd52
1 changed files with 6 additions and 0 deletions
--- a/BTCPayServer/Views/Shared/Crowdfund/Public/ViewCrowdfund.cshtml
+++ b/BTCPayServer/Views/Shared/Crowdfund/Public/ViewCrowdfund.cshtml
@@ -1,9 +1,15 @@
@model BTCPayServer.Plugins.Crowdfund.Models.ViewCrowdfundViewModel
@using BTCPayServer.Plugins.Crowdfund.Models
@inject BTCPayServer.Services.BTCPayServerEnvironment Env
+@inject BTCPayServer.Security.ContentSecurityPolicies Csp
@{
    ViewData["Title"] = Model.Title;
    Layout = null;
+    if (!string.IsNullOrEmpty(Model.DisqusShortname))
+    {
+        Csp.Add("script-src", $"https://{Model.DisqusShortname}.disqus.com");
+        Csp.Add("script-src", "https://c.disquscdn.com");
+    }
 }
 <!DOCTYPE html>
 <html class="h-100" @(Env.IsDeveloping ? " data-devenv" : "")>