soeren/fotospiel-app
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

funktionierender stand, purchasewizard noch nicht optimiert.

Browse Source
This commit is contained in:
Codex Agent
2025-10-04 16:49:21 +02:00
parent bc6a75961a
commit 3c0bbb688b
15 changed files with 400 additions and 1867 deletions
Download Patch File Download Diff File Expand all files Collapse all files

147
app/Http/Middleware/StripeCSP.php
View File

@@ -9,152 +9,19 @@ use Symfony\Component\HttpFoundation\Response;
class StripeCSP
{
/**
* Apply a CSP that allows Stripe and PayPal assets on the purchase wizard.
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response) $next
*/
public function handle(Request $request, Closure $next): Response
{
$response = $next($request);
$isLocal = app()->environment('local');
$csp = "default-src 'self'; script-src 'self' 'unsafe-inline' https://js.stripe.com https://js.stripe.network; style-src 'self' 'unsafe-inline' data: https:; img-src 'self' data: https: blob:; font-src 'self' data: https:; connect-src 'self' https://api.stripe.com https://api.stripe.network wss://*.stripe.network; media-src 'self' data: blob:; frame-src 'self' https://js.stripe.com; object-src 'none'; base-uri 'self'; form-action 'self';";
$scriptSrc = [
"'self'",
"'unsafe-inline'",
'https://js.stripe.com',
'https://js.stripe.network',
'https://m.stripe.network',
'https://*.stripe.com',
'https://*.stripe.network',
'https://www.paypal.com',
'https://*.paypal.com',
'https://www.paypalobjects.com',
'https://*.paypalobjects.com',
];
$styleSrc = [
"'self'",
"'unsafe-inline'",
'data:',
'https:',
'https://*.stripe.com',
'https://*.stripe.network',
'https://www.paypal.com',
'https://*.paypal.com',
'https://www.paypalobjects.com',
'https://*.paypalobjects.com',
];
$imgSrc = [
"'self'",
'data:',
'https:',
'blob:',
'https://*.stripe.com',
'https://*.stripe.network',
'https://q.stripe.com',
'https://r.stripe.com',
'https://www.paypal.com',
'https://*.paypal.com',
'https://www.paypalobjects.com',
'https://*.paypalobjects.com',
];
$fontSrc = [
"'self'",
'data:',
'https:',
'https://*.stripe.com',
'https://*.stripe.network',
'https://www.paypalobjects.com',
'https://*.paypalobjects.com',
];
$connectSrc = [
"'self'",
'https://api.stripe.com',
'https://api.stripe.network',
'https://js.stripe.com',
'https://m.stripe.com',
'https://m.stripe.network',
'https://connect.stripe.com',
'https://*.stripe.com',
'https://*.stripe.network',
'https://r.stripe.com',
'https://q.stripe.com',
'https://www.paypal.com',
'https://*.paypal.com',
'https://www.paypalobjects.com',
'https://*.paypalobjects.com',
'wss://*.stripe.network',
];
$mediaSrc = [
"'self'",
'data:',
'blob:',
'https:',
'https://js.stripe.com',
'https://*.stripe.com',
'https://*.stripe.network',
'https://m.stripe.network',
'https://www.paypal.com',
'https://*.paypal.com',
'https://www.paypalobjects.com',
'https://*.paypalobjects.com',
];
$frameSrc = [
"'self'",
'https://js.stripe.com',
'https://*.stripe.com',
'https://hooks.stripe.com',
'https://www.paypal.com',
'https://*.paypal.com',
];
$workerSrc = [
"'self'",
'blob:',
'https://js.stripe.com',
'https://*.stripe.com',
'https://*.stripe.network',
'https://m.stripe.network',
'https://www.paypal.com',
'https://*.paypal.com',
];
if ($isLocal) {
$devHost = 'http://localhost:5173';
$scriptSrc[] = $devHost;
$styleSrc[] = $devHost;
$imgSrc[] = $devHost;
$fontSrc[] = $devHost;
$connectSrc[] = $devHost;
$connectSrc[] = 'ws://localhost:5173';
$mediaSrc[] = $devHost;
$frameSrc[] = $devHost;
$workerSrc[] = $devHost;
}
$directives = [
"default-src 'self'",
'script-src ' . implode(' ', $scriptSrc),
'style-src ' . implode(' ', $styleSrc),
'img-src ' . implode(' ', $imgSrc),
'font-src ' . implode(' ', $fontSrc),
'connect-src ' . implode(' ', $connectSrc),
'media-src ' . implode(' ', $mediaSrc),
'frame-src ' . implode(' ', $frameSrc),
'worker-src ' . implode(' ', $workerSrc),
'child-src ' . implode(' ', $frameSrc),
"object-src 'none'",
"base-uri 'self'",
"form-action 'self'",
];
$response->headers->set('Content-Security-Policy', implode('; ', $directives) . ';');
$response->headers->set('Content-Security-Policy', $csp);
return $response;
}
}
}