Closed
Bug 1009696
Opened 10 years ago
Closed 9 years ago
why do we whitelist paypal sandbox on -dev?
Categories
(addons.mozilla.org Graveyard :: Code Quality, defect)
addons.mozilla.org Graveyard
Code Quality
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: clouserw, Unassigned)
References
Details
In our CSP rules we whitelist sandbox.paypal.com for frame-src[1]. This is fine if we need it, but dveditz noticed we aren't whitelisting paypal in our production service. When we turn on production CSP are we going to wish we were? tl;dr: Does paypal on AMO use frames and we need to whitelist it in CSP? [1] https://github.com/mozilla/olympia/blob/master/sites/dev/settings_addons.py#L18
Comment 1•10 years ago
|
||
Yes, we should whitelist it in the CSP on prod, paypal opens an iframe to start the payment flow.
Comment 2•9 years ago
|
||
We'll address this in https://github.com/mozilla/olympia/issues/995.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
Assignee | ||
Updated•8 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•