environment('local'); $scriptSrc = [ "'self'", "'unsafe-inline'", 'https://js.stripe.com', 'https://js.stripe.network', 'https://m.stripe.network', 'https://*.stripe.com', 'https://*.stripe.network', 'https://www.paypal.com', 'https://*.paypal.com', 'https://www.paypalobjects.com', 'https://*.paypalobjects.com', ]; $styleSrc = [ "'self'", "'unsafe-inline'", 'data:', 'https:', 'https://*.stripe.com', 'https://*.stripe.network', 'https://www.paypal.com', 'https://*.paypal.com', 'https://www.paypalobjects.com', 'https://*.paypalobjects.com', ]; $imgSrc = [ "'self'", 'data:', 'https:', 'blob:', 'https://*.stripe.com', 'https://*.stripe.network', 'https://q.stripe.com', 'https://r.stripe.com', 'https://www.paypal.com', 'https://*.paypal.com', 'https://www.paypalobjects.com', 'https://*.paypalobjects.com', ]; $fontSrc = [ "'self'", 'data:', 'https:', 'https://*.stripe.com', 'https://*.stripe.network', 'https://www.paypalobjects.com', 'https://*.paypalobjects.com', ]; $connectSrc = [ "'self'", 'https://api.stripe.com', 'https://api.stripe.network', 'https://js.stripe.com', 'https://m.stripe.com', 'https://m.stripe.network', 'https://connect.stripe.com', 'https://*.stripe.com', 'https://*.stripe.network', 'https://r.stripe.com', 'https://q.stripe.com', 'https://www.paypal.com', 'https://*.paypal.com', 'https://www.paypalobjects.com', 'https://*.paypalobjects.com', 'wss://*.stripe.network', ]; $mediaSrc = [ "'self'", 'data:', 'blob:', 'https:', 'https://js.stripe.com', 'https://*.stripe.com', 'https://*.stripe.network', 'https://m.stripe.network', 'https://www.paypal.com', 'https://*.paypal.com', 'https://www.paypalobjects.com', 'https://*.paypalobjects.com', ]; $frameSrc = [ "'self'", 'https://js.stripe.com', 'https://*.stripe.com', 'https://hooks.stripe.com', 'https://www.paypal.com', 'https://*.paypal.com', ]; $workerSrc = [ "'self'", 'blob:', 'https://js.stripe.com', 'https://*.stripe.com', 'https://*.stripe.network', 'https://m.stripe.network', 'https://www.paypal.com', 'https://*.paypal.com', ]; if ($isLocal) { $devHost = 'http://localhost:5173'; $scriptSrc[] = $devHost; $styleSrc[] = $devHost; $imgSrc[] = $devHost; $fontSrc[] = $devHost; $connectSrc[] = $devHost; $connectSrc[] = 'ws://localhost:5173'; $mediaSrc[] = $devHost; $frameSrc[] = $devHost; $workerSrc[] = $devHost; } $directives = [ "default-src 'self'", 'script-src ' . implode(' ', $scriptSrc), 'style-src ' . implode(' ', $styleSrc), 'img-src ' . implode(' ', $imgSrc), 'font-src ' . implode(' ', $fontSrc), 'connect-src ' . implode(' ', $connectSrc), 'media-src ' . implode(' ', $mediaSrc), 'frame-src ' . implode(' ', $frameSrc), 'worker-src ' . implode(' ', $workerSrc), 'child-src ' . implode(' ', $frameSrc), "object-src 'none'", "base-uri 'self'", "form-action 'self'", ]; $response->headers->set('Content-Security-Policy', implode('; ', $directives) . ';'); return $response; } }