Add CSP (Disable it if custom theming)

2025-12-17 14:04:26 +01:00 · 2018-07-12 17:38:21 +09:00
parent 6ea2d9175d
commit 976d9d0cda
12 changed files with 308 additions and 21 deletions
--- a/BTCPayServer/Controllers/InvoiceController.UI.cs
+++ b/BTCPayServer/Controllers/InvoiceController.UI.cs
@@ -187,6 +187,20 @@ namespace BTCPayServer.Controllers
            if (model == null)
                return NotFound();

+
+            _CSP.Add(new ConsentSecurityPolicy("script-src", "'unsafe-eval'")); // Needed by Vue
+            if(!string.IsNullOrEmpty(model.CustomCSSLink) && 
+                Uri.TryCreate(model.CustomCSSLink, UriKind.Absolute, out var uri))
+            {
+                _CSP.Clear();
+            }
+
+            if (!string.IsNullOrEmpty(model.CustomLogoLink) &&
+                Uri.TryCreate(model.CustomLogoLink, UriKind.Absolute, out uri))
+            {
+                _CSP.Clear();
+            }
+
            return View(nameof(Checkout), model);
        }