From 76a96f703f3e2848de19567f550c35e95ef74327 Mon Sep 17 00:00:00 2001
From: Reed Loden <reed@goteleport.com>
Date: Fri, 26 Aug 2022 00:11:23 -0500
Subject: [PATCH] Remove Stripe from `Content-Security-Policy` header

Teleport Cloud no longer handles payments via Stripe, so no need to
whitelist Stripe in CSP for `script-src` and `frame-src`.
---
 lib/httplib/httpheaders.go | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/lib/httplib/httpheaders.go b/lib/httplib/httpheaders.go
index 00ea2cb729f82..44ef444d1e53d 100644
--- a/lib/httplib/httpheaders.go
+++ b/lib/httplib/httpheaders.go
@@ -64,9 +64,6 @@ func SetIndexHTMLHeaders(h http.Header) {
 	// Set content policy flags
 	var cspValue = strings.Join([]string{
 		"default-src 'self'",
-		// cloud version uses stripe.com to update billing information
-		"script-src 'self' https://js.stripe.com",
-		"frame-src https://js.stripe.com",
 		"frame-ancestors 'none'",
 		// 'unsafe-inline' is required by CSS-in-JS to work
 		"style-src 'self' 'unsafe-inline'",