Remove Stripe from Content-Security-Policy header (#16388)

Teleport Cloud no longer handles payments via Stripe, so no need to whitelist Stripe in CSP for `script-src` and `frame-src`.
gravitational · Sep 15, 2022 · 1949f4a · 1949f4a
1 parent 3692f97
commit 1949f4a
Showing 1 changed file with 0 additions and 3 deletions.
diff --git a/lib/httplib/httpheaders.go b/lib/httplib/httpheaders.go
@@ -64,9 +64,6 @@ func SetIndexHTMLHeaders(h http.Header) {
 	// Set content policy flags
 	var cspValue = strings.Join([]string{
 		"default-src 'self'",
-		// cloud version uses stripe.com to update billing information
-		"script-src 'self' https://js.stripe.com",
-		"frame-src https://js.stripe.com",
 		"frame-ancestors 'none'",
 		// 'unsafe-inline' is required by CSS-in-JS to work
 		"style-src 'self' 'unsafe-inline'",