lphilippo
commented
3 years ago Hello @olegisk
Did you have a moment to look into this? Our ideal solution would be to see these domains included in the existing etc/csp_whitelist.xml, but if that's not possible in the near future, we will need to solve this in another way.
In that case, would you be able to provide information about the domains for each payment method, as I assume (or hope ;-) ), that these are defined? We currently need to fall back to allowing all access for form-action CSP, which kind of defeats the purpose...
Any update is much appreciated!
olegisk
As we use Content Security Policies in our shops to restrict various behaviours, we're happy to see the
/etc/csp_whitelist.xmlwhich defines the required whitelisted domains. Unfortunately, with the recent change of moving the bank selection for iDeal payments to the checkout page, the redirect domains for certain banks were being blocked. For example, we were hitting:Although these bank-specific domains are not hard-coded in this module, would it still be possible to include all necessary domains in
csp_whitelist.xmlto keep them all in a central place? For the moment we have to rely on a wild-card whitelist, which is of course far from ideal.If for any reason this is not desired, would you be able to provide the known redirect domains for the banks that you support?