Skip to content

fix(csp): allow Dodo Payments SDK script origin in script-src#2631

Merged
koala73 merged 1 commit intomainfrom
fix/csp-dodo-sdk-script-src
Apr 2, 2026
Merged

fix(csp): allow Dodo Payments SDK script origin in script-src#2631
koala73 merged 1 commit intomainfrom
fix/csp-dodo-sdk-script-src

Conversation

@koala73
Copy link
Copy Markdown
Owner

@koala73 koala73 commented Apr 2, 2026

Fixes CSP violation reported in Sentry (issue 7368303076).

The Dodo Payments checkout overlay SDK (dodopayments-checkout package) loads its script from https://sdk.custom.hs.dodopayments.com/ which was blocked by our script-src directive.

Changes:

  • vercel.json (production): add https://sdk.custom.hs.dodopayments.com to script-src
  • index.html (dev/Tauri): same

The checkout frame-src already had checkout.dodopayments.com and test.checkout.dodopayments.com from PR #2024.

Sentry issue marked resolved (inNextRelease).

@vercel
Copy link
Copy Markdown

vercel bot commented Apr 2, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
worldmonitor Ignored Ignored Apr 2, 2026 8:45pm

Request Review

@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps bot commented Apr 2, 2026

Greptile Summary

This PR fixes a Content Security Policy violation by adding https://sdk.custom.hs.dodopayments.com to the script-src directive in both vercel.json (production HTTP headers) and index.html (dev/Tauri meta tag). This unblocks the Dodo Payments checkout overlay SDK, whose script origin was missing from the allow-list while the frame-src for the checkout iframes was already present.

  • vercel.json: Appends https://sdk.custom.hs.dodopayments.com to script-src, keeping the existing connect-src https: wildcard sufficient for API calls the SDK may make.
  • index.html: Same addition mirrored for the dev/Tauri environment.
  • The fix is narrowly scoped to the exact reported origin rather than using a broader wildcard (e.g., https://*.dodopayments.com), which is good CSP hygiene.
  • Pre-existing minor inconsistency: the ordering of https://*.clerk.accounts.dev and https://abacus.worldmonitor.app differs between the two files, but this predates this PR and has no functional impact.

Confidence Score: 4/5

Safe to merge — minimal, targeted CSP change addressing a confirmed Sentry violation with no functional regressions expected.

Both vercel.json and index.html are updated consistently with a narrowly-scoped origin rather than a wildcard. The connect-src wildcard (https:) already covers any API calls the SDK makes, and frame-src already covers the checkout iframe domains. The one point of uncertainty (score not 5) is that the Dodo Payments overlay SDK might dynamically inject additional sub-scripts or stylesheets from other origins at runtime, which could produce further CSP violations not yet observed.

No files require special attention — both changed files are configuration only.

Important Files Changed

Filename Overview
vercel.json Appends https://sdk.custom.hs.dodopayments.com to script-src in the production CSP header; change is minimal and correctly scoped.
index.html Same script-src addition as vercel.json, applied to the dev/Tauri <meta http-equiv="Content-Security-Policy"> tag.

Sequence Diagram

sequenceDiagram
    participant Browser
    participant CSP
    participant DodoSDK as sdk.custom.hs.dodopayments.com
    participant CheckoutFrame as checkout.dodopayments.com

    Browser->>CSP: Load script from sdk.custom.hs.dodopayments.com
    Note over CSP: script-src now includes this origin ✅
    CSP->>DodoSDK: Request allowed
    DodoSDK-->>Browser: dodopayments-checkout SDK bundle

    Browser->>CSP: Open checkout iframe (checkout.dodopayments.com)
    Note over CSP: frame-src already covers this origin ✅
    CSP->>CheckoutFrame: Frame allowed
    CheckoutFrame-->>Browser: Checkout overlay rendered
Loading

Reviews (1): Last reviewed commit: "fix(csp): allow Dodo Payments SDK script..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps bot reviewed Apr 2, 2026
View reviewed changes
vercel.json
{ "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin" },
{ "key": "Permissions-Policy", "value": "camera=(), microphone=(), geolocation=(self), accelerometer=(), autoplay=(self \"https://www.youtube.com\" \"https://www.youtube-nocookie.com\"), bluetooth=(), display-capture=(), encrypted-media=(self \"https://www.youtube.com\" \"https://www.youtube-nocookie.com\"), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), midi=(), payment=(), picture-in-picture=(self \"https://www.youtube.com\" \"https://www.youtube-nocookie.com\"), screen-wake-lock=(), serial=(), usb=(), xr-spatial-tracking=()" },
{ "key": "Content-Security-Policy", "value": "default-src 'self'; connect-src 'self' https: wss: blob: data: https://*.ingest.sentry.io https://*.ingest.us.sentry.io; img-src 'self' data: blob: https:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; script-src 'self' 'sha256-LnMFPWZxTgVOr2VYwIh9mhQ3l/l3+a3SfNOLERnuHfY=' 'sha256-4Z2xtr1B9QQugoojE/nbpOViG+8l2B7CZVlKgC78AeQ=' 'sha256-903UI9my1I7mqHoiVeZSc56yd50YoRJTB2269QqL76w=' 'sha256-EytE6o1N8rwzpVFMrF+WvBZr2y5UhFLw79o1/4VqS0s=' 'wasm-unsafe-eval' https://www.youtube.com https://static.cloudflareinsights.com https://vercel.live https://challenges.cloudflare.com https://*.clerk.accounts.dev https://abacus.worldmonitor.app; worker-src 'self' blob:; font-src 'self' data: https:; media-src 'self' data: blob: https:; frame-src 'self' https://worldmonitor.app https://tech.worldmonitor.app https://finance.worldmonitor.app https://commodity.worldmonitor.app https://happy.worldmonitor.app https://www.youtube.com https://www.youtube-nocookie.com https://www.google.com https://webcams.windy.com https://challenges.cloudflare.com https://*.clerk.accounts.dev https://vercel.live https://*.vercel.app https://checkout.dodopayments.com https://test.checkout.dodopayments.com; frame-ancestors 'self' https://www.worldmonitor.app https://tech.worldmonitor.app https://finance.worldmonitor.app https://commodity.worldmonitor.app https://happy.worldmonitor.app https://worldmonitor.app https://vercel.live https://*.vercel.app; base-uri 'self'; object-src 'none'; form-action 'self' https://api.worldmonitor.app" }
{ "key": "Content-Security-Policy", "value": "default-src 'self'; connect-src 'self' https: wss: blob: data: https://*.ingest.sentry.io https://*.ingest.us.sentry.io; img-src 'self' data: blob: https:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; script-src 'self' 'sha256-LnMFPWZxTgVOr2VYwIh9mhQ3l/l3+a3SfNOLERnuHfY=' 'sha256-4Z2xtr1B9QQugoojE/nbpOViG+8l2B7CZVlKgC78AeQ=' 'sha256-903UI9my1I7mqHoiVeZSc56yd50YoRJTB2269QqL76w=' 'sha256-EytE6o1N8rwzpVFMrF+WvBZr2y5UhFLw79o1/4VqS0s=' 'wasm-unsafe-eval' https://www.youtube.com https://static.cloudflareinsights.com https://vercel.live https://challenges.cloudflare.com https://*.clerk.accounts.dev https://abacus.worldmonitor.app https://sdk.custom.hs.dodopayments.com; worker-src 'self' blob:; font-src 'self' data: https:; media-src 'self' data: blob: https:; frame-src 'self' https://worldmonitor.app https://tech.worldmonitor.app https://finance.worldmonitor.app https://commodity.worldmonitor.app https://happy.worldmonitor.app https://www.youtube.com https://www.youtube-nocookie.com https://www.google.com https://webcams.windy.com https://challenges.cloudflare.com https://*.clerk.accounts.dev https://vercel.live https://*.vercel.app https://checkout.dodopayments.com https://test.checkout.dodopayments.com; frame-ancestors 'self' https://www.worldmonitor.app https://tech.worldmonitor.app https://finance.worldmonitor.app https://commodity.worldmonitor.app https://happy.worldmonitor.app https://worldmonitor.app https://vercel.live https://*.vercel.app; base-uri 'self'; object-src 'none'; form-action 'self' https://api.worldmonitor.app" }
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 SDK may need style-src allowance too

The dodopayments-checkout overlay SDK injects a full checkout UI. If it loads any external stylesheets from sdk.custom.hs.dodopayments.com (rather than inlining all styles), those would be blocked by the current style-src 'self' 'unsafe-inline' https://fonts.googleapis.com directive.

The Sentry report only captured the script-src violation, but it's worth keeping an eye on the browser console (or Sentry) after deploying — if the overlay renders without styling or triggers a new CSP report, https://sdk.custom.hs.dodopayments.com may need to be added to style-src as well (and mirrored in index.html).

No action required now, but worth verifying once deployed.

@koala73 koala73 merged commit 6a7749b into main Apr 2, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@koala73