diff --git a/CHANGELOG.md b/CHANGELOG.md index dcda643d1..8dc8f193c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,7 +15,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Fixed an issue with the clone functionality of a transaction caused by the symbol search component -## 1.283.2 - 2023-06-24 +## 1.283.5 - 2023-06-25 ### Added diff --git a/apps/api/src/main.ts b/apps/api/src/main.ts index 83e97069e..33fd40a30 100644 --- a/apps/api/src/main.ts +++ b/apps/api/src/main.ts @@ -35,17 +35,20 @@ async function bootstrap() { // Support 10mb csv/json files for importing activities app.use(bodyParser.json({ limit: '10mb' })); - app.use( - helmet({ - contentSecurityPolicy: { - directives: { - scriptSrc: ["'self'", "'unsafe-inline'"], // Allow inline scripts - scriptSrcAttr: ["'self'", "'unsafe-inline'"], // Allow inline event handlers - styleSrc: ["'self'", "'unsafe-inline'"] // Allow inline styles + if (configService.get('ENABLE_FEATURE_SUBSCRIPTION') === 'true') { + app.use( + helmet({ + contentSecurityPolicy: { + directives: { + frameSrc: ["'self'", 'https://js.stripe.com'], // Allow loading frames from Stripe + scriptSrc: ["'self'", "'unsafe-inline'", 'https://js.stripe.com'], // Allow inline scripts and scripts from Stripe + scriptSrcAttr: ["'self'", "'unsafe-inline'"], // Allow inline event handlers + styleSrc: ["'self'", "'unsafe-inline'"] // Allow inline styles + } } - } - }) - ); + }) + ); + } const BASE_CURRENCY = configService.get('BASE_CURRENCY'); const HOST = configService.get('HOST') || '0.0.0.0'; diff --git a/package.json b/package.json index 8d0a952be..3953a1060 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "ghostfolio", - "version": "1.283.2", + "version": "1.283.5", "homepage": "https://ghostfol.io", "license": "AGPL-3.0", "scripts": {