Skip to content

Unfortunately, we have to enable unsafe-inline if we are using Paypal#4189

Merged
ildyria merged 1 commit intomasterfrom
fix-csp-paypal
Mar 16, 2026
Merged

Unfortunately, we have to enable unsafe-inline if we are using Paypal#4189
ildyria merged 1 commit intomasterfrom
fix-csp-paypal

Conversation

@ildyria
Copy link
Member

@ildyria ildyria commented Mar 16, 2026
edited by coderabbitai bot
Loading

https://developer.paypal.com/sdk/js/best-practices/

Our CSP recommendation: use 'unsafe-inline'

However unsafe-inline is ignored as soon as there is a hash in the list. So we need to also disable the hash list...

Summary by CodeRabbit

  • New Features

    • PayPal payment option now integrated into the checkout process with enhanced security protocols configured.

  • Style

    • Layout adjustments made for improved component presentation consistency.

@ildyria ildyria requested a review from a team as a code owner March 16, 2026 15:10
@coderabbitai
Copy link

coderabbitai bot commented Mar 16, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d5fc3df1-a76c-44a2-b4b8-263f551b149d

📥 Commits

Reviewing files that changed from the base of the PR and between b7948a9 and 269a3cf.

📒 Files selected for processing (2)
  • config/secure-headers.php
  • resources/js/components/webshop/OrderSummary.vue
📝 Walkthrough

Walkthrough

PayPal integration is added to Content Security Policy configuration with conditional rules based on PAYPAL_CLIENT_ID environment variable. A styling class update was applied to the OrderSummary Vue component.

Changes

Cohort / File(s) Summary
PayPal CSP Configuration
config/secure-headers.php		 Added PayPal SDK and assets domains (connect-src, img-src, script-src). Made unsafe-inline and sha256 hash allowlists conditional on PAYPAL_CLIENT_ID environment variable presence.
Component Styling Update
resources/js/components/webshop/OrderSummary.vue		 Changed root div minimum height class from min-h-[400px] to min-h-100.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A bunny hops through secure headers with glee,
PayPal joins the CSP party, conditional and free!
When PAYPAL_CLIENT_ID shows its face,
Hashes and inline scripts find their place.
OrderSummary stretches with a stylish new height—
Our webshop configuration hops toward the light! 🌙

🚥 Pre-merge checks | ✅ 1
✅ Passed checks (1 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Tip

CodeRabbit can scan for known vulnerabilities in your dependencies using OSV Scanner.

OSV Scanner will automatically detect and report security vulnerabilities in your project's dependencies. No additional configuration is required.

@ildyria ildyria merged commit ba2b533 into master Mar 16, 2026
44 of 45 checks passed
@ildyria ildyria deleted the fix-csp-paypal branch March 16, 2026 16:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ildyria