From 04b6ad06543b81c66a950f13c4c500c3a7a80b1b Mon Sep 17 00:00:00 2001
From: Abdurrahman Saber <a.saber@odex.sa>
Date: Tue, 14 Oct 2025 18:21:19 +0300
Subject: [PATCH 1/5] Revert "[FIX] applepay_fast_checkout, payment_hyperpay:
 use local jquery to prevent CSP violation"

This reverts commit 33f97cdf9d6430b34264219bd50d9972ab8acac5.
---
 .../applepay_fast_checkout/controllers/main.py           | 9 ++-------
 .../applepay_fast_checkout/views/applepay_iframe.xml     | 8 ++++----
 2 files changed, 6 insertions(+), 11 deletions(-)

diff --git a/odex25_donation/applepay_fast_checkout/controllers/main.py b/odex25_donation/applepay_fast_checkout/controllers/main.py
index a691e6661..c68069d30 100644
--- a/odex25_donation/applepay_fast_checkout/controllers/main.py
+++ b/odex25_donation/applepay_fast_checkout/controllers/main.py
@@ -18,13 +18,8 @@ class ApplePayFastCheckout(Controller):
 
         integrity = requests.get(f'{url}/v1/fastcheckout/integrity').json().get('integrity', '')
 
-        response = request.render("applepay_fast_checkout.apple_pay_iframe", {
-            'hyperpay_src': f"{url}/v1/paymentWidgets.js", 
-            'merchant_id': acquirer_id.applepay_entity_id, 
-            'script_nonce': nonce,  
-            'integrity': integrity
-        })
-        # response.headers['Content-Security-Policy'] = "script-src blob: 'self' 'unsafe-inline' 'unsafe-eval' https://*; worker-src blob: 'self' 'unsafe-inline' 'unsafe-eval' https://*;connect-src 'self' https://* wss://*;frame-src 'self' blob: https://*;"
+        response = request.render("applepay_fast_checkout.apple_pay_iframe", {'hyperpay_src': f"{url}/v1/paymentWidgets.js", 'merchant_id': acquirer_id.applepay_entity_id, 'nonce': nonce, 'integrity': integrity})
+        response.headers['Content-Security-Policy'] = "script-src blob: 'self' 'unsafe-inline' 'unsafe-eval' https://*; worker-src blob: 'self' 'unsafe-inline' 'unsafe-eval' https://*;connect-src 'self' https://* wss://*;frame-src 'self' blob: https://*;"
 
         return response
 
diff --git a/odex25_donation/applepay_fast_checkout/views/applepay_iframe.xml b/odex25_donation/applepay_fast_checkout/views/applepay_iframe.xml
index 3e0d7d694..cce1316f6 100644
--- a/odex25_donation/applepay_fast_checkout/views/applepay_iframe.xml
+++ b/odex25_donation/applepay_fast_checkout/views/applepay_iframe.xml
@@ -8,16 +8,16 @@
                     t-attf-content="
                     style-src 'self' https://*.oppwa.com 'unsafe-inline';
                     frame-src 'self' https://*.oppwa.com https://applepay.cdn-apple.com;
-                    script-src 'self' https://*.oppwa.com https://applepay.cdn-apple.com 'nonce-{{script_nonce}}';
+                    script-src 'self' https://*.oppwa.com https://applepay.cdn-apple.com 'nonce-{{nonce}}';
                     connect-src 'self' https://*.oppwa.com;
                     img-src 'self' https://*.oppwa.com;" />
 
                 <script t-att-src="hyperpay_src" t-att-integrity="integrity" crossorigin="anonymous" />
-                <script src="/web/static/lib/jquery/jquery.js" t-att-nonce="script_nonce" />
-                <script t-att-nonce="script_nonce">
+                <script src="/web/static/lib/jquery/jquery.js" t-att-nonce="nonce" />
+                <script>
                     merchant_id = "<t t-esc="merchant_id" />";
                 </script>
-                <script src="/applepay_fast_checkout/static/src/js/applepay_iframe.js" t-att-nonce="script_nonce"/>
+                <script src="/applepay_fast_checkout/static/src/js/applepay_iframe.js" t-att-nonce="nonce"/>
                 <link rel="stylesheet" href="/applepay_fast_checkout/static/src/css/applepay_iframe_content.css" />
             </head>
             <body>

From 868fb2bef75b8ce42adb006fecd9d24bef057b2b Mon Sep 17 00:00:00 2001
From: Abdurrahman Saber <a.saber@odex.sa>
Date: Tue, 14 Oct 2025 18:21:32 +0300
Subject: [PATCH 2/5] Revert "[FIX] applepay_fast_checkout, payment_hyperpay:
 use local jquery to prevent CSP violation"

This reverts commit d60abd020560465d86c13fe13ed71f1b5a21bc1f.
---
 .../applepay_fast_checkout/views/applepay_iframe.xml            | 2 +-
 .../payment_hyperpay/static/src/js/payment_hyperpay.js          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/odex25_donation/applepay_fast_checkout/views/applepay_iframe.xml b/odex25_donation/applepay_fast_checkout/views/applepay_iframe.xml
index cce1316f6..a9f5d0852 100644
--- a/odex25_donation/applepay_fast_checkout/views/applepay_iframe.xml
+++ b/odex25_donation/applepay_fast_checkout/views/applepay_iframe.xml
@@ -13,7 +13,7 @@
                     img-src 'self' https://*.oppwa.com;" />
 
                 <script t-att-src="hyperpay_src" t-att-integrity="integrity" crossorigin="anonymous" />
-                <script src="/web/static/lib/jquery/jquery.js" t-att-nonce="nonce" />
+                <script src="/web/static/lib/jquery/jquery.js" />
                 <script>
                     merchant_id = "<t t-esc="merchant_id" />";
                 </script>
diff --git a/odex25_donation/payment_hyperpay/static/src/js/payment_hyperpay.js b/odex25_donation/payment_hyperpay/static/src/js/payment_hyperpay.js
index fe9f94021..62b3ccf9b 100644
--- a/odex25_donation/payment_hyperpay/static/src/js/payment_hyperpay.js
+++ b/odex25_donation/payment_hyperpay/static/src/js/payment_hyperpay.js
@@ -117,7 +117,7 @@ odoo.define("payment_hyperpay.payment_hyperpay", function (require) {
                 $modal_html.appendTo($("body")).modal({ keyboard: false, backdrop: "static" });
                 var style_css = '<link rel="stylesheet" href="' + base_url + '/payment_hyperpay/static/src/css/hyperpay_style.css" />';
                 var script = `<script async src="${domain}/v1/paymentWidgets.js?checkoutId=${checkoutId}" integrity="${result.integrity}" crossorigin="anonymous"></script>`
-                var js_script = `<script src="/web/static/lib/jquery/jquery.js" nonce="${result.nonce}"></script>`
+                var js_script = '<script src="/web/static/lib/jquery/jquery.js"></script>'
                 var shopperResultUrlTag =
                     '<form action="' +
                     base_url +

From b3c1b76451de990b4643ec8fa2913ca9203c737c Mon Sep 17 00:00:00 2001
From: Abdurrahman Saber <a.saber@odex.sa>
Date: Tue, 14 Oct 2025 18:21:42 +0300
Subject: [PATCH 3/5] Revert "[FIX] applepay_fast_checkout, payment_hyperpay:
 use local jquery to prevent CSP violation"

This reverts commit 3722bf9b2df7619d837aee122e60ee769eb6b437.
---
 .../applepay_fast_checkout/views/applepay_iframe.xml            | 2 +-
 .../payment_hyperpay/static/src/js/payment_hyperpay.js          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/odex25_donation/applepay_fast_checkout/views/applepay_iframe.xml b/odex25_donation/applepay_fast_checkout/views/applepay_iframe.xml
index a9f5d0852..7f83bb306 100644
--- a/odex25_donation/applepay_fast_checkout/views/applepay_iframe.xml
+++ b/odex25_donation/applepay_fast_checkout/views/applepay_iframe.xml
@@ -13,7 +13,7 @@
                     img-src 'self' https://*.oppwa.com;" />
 
                 <script t-att-src="hyperpay_src" t-att-integrity="integrity" crossorigin="anonymous" />
-                <script src="/web/static/lib/jquery/jquery.js" />
+                <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js" />
                 <script>
                     merchant_id = "<t t-esc="merchant_id" />";
                 </script>
diff --git a/odex25_donation/payment_hyperpay/static/src/js/payment_hyperpay.js b/odex25_donation/payment_hyperpay/static/src/js/payment_hyperpay.js
index 62b3ccf9b..3cd480a1c 100644
--- a/odex25_donation/payment_hyperpay/static/src/js/payment_hyperpay.js
+++ b/odex25_donation/payment_hyperpay/static/src/js/payment_hyperpay.js
@@ -117,7 +117,7 @@ odoo.define("payment_hyperpay.payment_hyperpay", function (require) {
                 $modal_html.appendTo($("body")).modal({ keyboard: false, backdrop: "static" });
                 var style_css = '<link rel="stylesheet" href="' + base_url + '/payment_hyperpay/static/src/css/hyperpay_style.css" />';
                 var script = `<script async src="${domain}/v1/paymentWidgets.js?checkoutId=${checkoutId}" integrity="${result.integrity}" crossorigin="anonymous"></script>`
-                var js_script = '<script src="/web/static/lib/jquery/jquery.js"></script>'
+                var js_script = '<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>'
                 var shopperResultUrlTag =
                     '<form action="' +
                     base_url +

From a992993ba09074157ce41e94c1f17389873d0c76 Mon Sep 17 00:00:00 2001
From: Abdurrahman Saber <a.saber@odex.sa>
Date: Tue, 14 Oct 2025 18:21:58 +0300
Subject: [PATCH 4/5] Revert "[FIX] applepay_fast_checkout: integrity url"

This reverts commit 1cd20d50678d03fc09817c2e213381a74556e15e.
---
 odex25_donation/applepay_fast_checkout/controllers/main.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/odex25_donation/applepay_fast_checkout/controllers/main.py b/odex25_donation/applepay_fast_checkout/controllers/main.py
index c68069d30..33d4f50d1 100644
--- a/odex25_donation/applepay_fast_checkout/controllers/main.py
+++ b/odex25_donation/applepay_fast_checkout/controllers/main.py
@@ -12,13 +12,13 @@ class ApplePayFastCheckout(Controller):
         acquirer_id = request.env['payment.acquirer'].sudo().search([('provider', '=', 'applepay')], limit=1)
 
         if acquirer_id.state == 'test':
-            url = "https://eu-test.oppwa.com"
+            url = "https://eu-test.oppwa.com/v1/paymentWidgets.js"
         else:
-            url = "https://eu-prod.oppwa.com"
+            url = "https://eu-prod.oppwa.com/v1/paymentWidgets.js"
 
         integrity = requests.get(f'{url}/v1/fastcheckout/integrity').json().get('integrity', '')
 
-        response = request.render("applepay_fast_checkout.apple_pay_iframe", {'hyperpay_src': f"{url}/v1/paymentWidgets.js", 'merchant_id': acquirer_id.applepay_entity_id, 'nonce': nonce, 'integrity': integrity})
+        response = request.render("applepay_fast_checkout.apple_pay_iframe", {'hyperpay_src': url, 'merchant_id': acquirer_id.applepay_entity_id, 'nonce': nonce, 'integrity': integrity})
         response.headers['Content-Security-Policy'] = "script-src blob: 'self' 'unsafe-inline' 'unsafe-eval' https://*; worker-src blob: 'self' 'unsafe-inline' 'unsafe-eval' https://*;connect-src 'self' https://* wss://*;frame-src 'self' blob: https://*;"
 
         return response

From 403fa67da9d9a8d570d1cb63e7abf0cec01dcb4b Mon Sep 17 00:00:00 2001
From: Abdurrahman Saber <a.saber@odex.sa>
Date: Tue, 14 Oct 2025 18:22:12 +0300
Subject: [PATCH 5/5] Revert "[IMP] payment_applepay, payment_hyperpay:
 implement PCI DSS v4.0 requirements"

This reverts commit 5d768c745fc3b2dbd75d3e00182325b59d9561cc.
---
 .../controllers/main.py                       | 10 +++-----
 .../views/applepay_iframe.xml                 | 12 ++-------
 .../payment_hyperpay/controllers/main.py      | 13 +++-------
 .../static/src/js/payment_hyperpay.js         | 25 ++++++-------------
 4 files changed, 16 insertions(+), 44 deletions(-)

diff --git a/odex25_donation/applepay_fast_checkout/controllers/main.py b/odex25_donation/applepay_fast_checkout/controllers/main.py
index 33d4f50d1..6e5dc3850 100644
--- a/odex25_donation/applepay_fast_checkout/controllers/main.py
+++ b/odex25_donation/applepay_fast_checkout/controllers/main.py
@@ -1,24 +1,20 @@
 import json
-import secrets
-import requests
 
 from odoo.http import route, request, Controller
 
+
 class ApplePayFastCheckout(Controller):
 
     @route('/applepay', type='http', auth='public', website=True, csrf=False)
     def apple_pay_iframe(self, **kwargs):
-        nonce = secrets.token_urlsafe(16)
         acquirer_id = request.env['payment.acquirer'].sudo().search([('provider', '=', 'applepay')], limit=1)
 
         if acquirer_id.state == 'test':
             url = "https://eu-test.oppwa.com/v1/paymentWidgets.js"
         else:
-            url = "https://eu-prod.oppwa.com/v1/paymentWidgets.js"
+            url = "https://oppwa.com/v1/paymentWidgets.js"
 
-        integrity = requests.get(f'{url}/v1/fastcheckout/integrity').json().get('integrity', '')
-
-        response = request.render("applepay_fast_checkout.apple_pay_iframe", {'hyperpay_src': url, 'merchant_id': acquirer_id.applepay_entity_id, 'nonce': nonce, 'integrity': integrity})
+        response = request.render("applepay_fast_checkout.apple_pay_iframe", {'hyperpay_src': url, 'merchant_id': acquirer_id.applepay_entity_id})
         response.headers['Content-Security-Policy'] = "script-src blob: 'self' 'unsafe-inline' 'unsafe-eval' https://*; worker-src blob: 'self' 'unsafe-inline' 'unsafe-eval' https://*;connect-src 'self' https://* wss://*;frame-src 'self' blob: https://*;"
 
         return response
diff --git a/odex25_donation/applepay_fast_checkout/views/applepay_iframe.xml b/odex25_donation/applepay_fast_checkout/views/applepay_iframe.xml
index 7f83bb306..d508d8ca7 100644
--- a/odex25_donation/applepay_fast_checkout/views/applepay_iframe.xml
+++ b/odex25_donation/applepay_fast_checkout/views/applepay_iframe.xml
@@ -4,20 +4,12 @@
     <template id="apple_pay_iframe" name="Apple Pay Iframe">
         <html>
             <head>
-                <meta http-equiv="Content-Security-Policy"
-                    t-attf-content="
-                    style-src 'self' https://*.oppwa.com 'unsafe-inline';
-                    frame-src 'self' https://*.oppwa.com https://applepay.cdn-apple.com;
-                    script-src 'self' https://*.oppwa.com https://applepay.cdn-apple.com 'nonce-{{nonce}}';
-                    connect-src 'self' https://*.oppwa.com;
-                    img-src 'self' https://*.oppwa.com;" />
-
-                <script t-att-src="hyperpay_src" t-att-integrity="integrity" crossorigin="anonymous" />
+                <script t-att-src="hyperpay_src" />
                 <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js" />
                 <script>
                     merchant_id = "<t t-esc="merchant_id" />";
                 </script>
-                <script src="/applepay_fast_checkout/static/src/js/applepay_iframe.js" t-att-nonce="nonce"/>
+                <script src="/applepay_fast_checkout/static/src/js/applepay_iframe.js" />
                 <link rel="stylesheet" href="/applepay_fast_checkout/static/src/css/applepay_iframe_content.css" />
             </head>
             <body>
diff --git a/odex25_donation/payment_hyperpay/controllers/main.py b/odex25_donation/payment_hyperpay/controllers/main.py
index 163a34586..28f1f98fc 100644
--- a/odex25_donation/payment_hyperpay/controllers/main.py
+++ b/odex25_donation/payment_hyperpay/controllers/main.py
@@ -6,10 +6,8 @@
 #################################################################################
 
 import requests
-import random
-import secrets
-
 from odoo import http
+import random
 
 from odoo.http import request
 from odoo.addons.payment_hyperpay.data.payment_icon import payment_icon
@@ -17,7 +15,8 @@ from odoo.addons.payment_hyperpay.data.payment_icon import payment_icon
 import logging
 _logger = logging.getLogger(__name__)
 
-
+# test_domain = "https://test.oppwa.com"
+# live_domain = "https://oppwa.com"
 test_domain = "https://eu-test.oppwa.com"
 live_domain = "https://eu-prod.oppwa.com"
 
@@ -47,7 +46,6 @@ class HyperPayController(http.Controller):
     @http.route('/payment/hyperpay/checkout/create', type='json', auth='public', csrf=False, website=True)
     def create_hyperpay_checkout(self, **post):
         _logger.info('--post---%r', post)
-        nonce = secrets.token_urlsafe(16)
         tx = request.env['payment.transaction'].sudo().search([('id', '=', int(post.get('txId', 0)))])
         final_response = {}
         if tx:
@@ -67,7 +65,6 @@ class HyperPayController(http.Controller):
                 "currency": tx.currency_id and tx.sudo().currency_id.name or '',
                 "paymentType": "DB",
                 "env": acq.state,
-                "integrity": "true",
                 "customParameters[SHOPPER_tx_id]": tx.id,
                 "merchantTransactionId": tx.reference,
                 "billing.street1": partner_id.street or 'Riyadh',
@@ -98,9 +95,7 @@ class HyperPayController(http.Controller):
                 'base_url': base_url,
                 'data_brands': data_brands,
                 'acq': acq.id, 
-                'website_id': request.session.get('force_website_id') or request.website.id,
-                'integrity': resp.get('integrity', ''),
-                'nonce': nonce,
+                'website_id': request.session.get('force_website_id') or request.website.id
             }
 
         return final_response
diff --git a/odex25_donation/payment_hyperpay/static/src/js/payment_hyperpay.js b/odex25_donation/payment_hyperpay/static/src/js/payment_hyperpay.js
index 3cd480a1c..b982f22bd 100644
--- a/odex25_donation/payment_hyperpay/static/src/js/payment_hyperpay.js
+++ b/odex25_donation/payment_hyperpay/static/src/js/payment_hyperpay.js
@@ -16,7 +16,7 @@ odoo.define("payment_hyperpay.payment_hyperpay", function (require) {
 
     // Reference
     // https://dev.to/pulljosh/how-to-load-html-css-and-js-code-into-an-iframe-2blc
-    const getGeneratedPageURL = ({ html, css, js, meta, nonce}) => {
+    const getGeneratedPageURL = ({ html, css, js }) => {
         const getBlobURL = (code, type) => {
             const blob = new Blob([code], { type });
             return URL.createObjectURL(blob);
@@ -25,12 +25,11 @@ odoo.define("payment_hyperpay.payment_hyperpay", function (require) {
         const source = `
                       <html>
                         <head>
-                          ${meta}
                           ${css}
                           ${js}
                         </head>
                         <body>
-                        <script nonce="${nonce}">
+                        <script>
                         var wpwlOptions = {
                               onReady: function(){
                                 var shopOrigin = $('input[name="shopOrigin"]');
@@ -67,7 +66,7 @@ odoo.define("payment_hyperpay.payment_hyperpay", function (require) {
                               }
                             }
                             </script>
-                            <script nonce="${nonce}">
+                            <script>
                             var wpwlOptions = {
                                 browser: {threeDChallengeWindow: 5 },
                                 locale: "ar",
@@ -104,20 +103,20 @@ odoo.define("payment_hyperpay.payment_hyperpay", function (require) {
                 txId: self.tx_id,
             }).then(function (result) {
                 if (result) {
-                    self._renderHyperpayModal(result.checkoutId, result.domain, result.base_url, result.data_brands, result.acq, result.website_id, result);
+                    self._renderHyperpayModal(result.checkoutId, result.domain, result.base_url, result.data_brands, result.acq, result.website_id);
                 } else {
                     console.log("Error Occured");
                 }
             });
         },
-        _renderHyperpayModal: function (checkoutId, domain, base_url, data_brands, acq, website_id, result) {
+        _renderHyperpayModal: function (checkoutId, domain, base_url, data_brands, acq, website_id) {
             var self = this;
             try {
                 var $modal_html = $($(".payment_hyper_modal").get()[0]);
                 $modal_html.appendTo($("body")).modal({ keyboard: false, backdrop: "static" });
                 var style_css = '<link rel="stylesheet" href="' + base_url + '/payment_hyperpay/static/src/css/hyperpay_style.css" />';
-                var script = `<script async src="${domain}/v1/paymentWidgets.js?checkoutId=${checkoutId}" integrity="${result.integrity}" crossorigin="anonymous"></script>`
-                var js_script = '<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>'
+                var script = '<script async src="' + domain + "/v1/paymentWidgets.js?checkoutId=" + checkoutId + '"></script>';
+                var js_script = '<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>';
                 var shopperResultUrlTag =
                     '<form action="' +
                     base_url +
@@ -132,20 +131,10 @@ odoo.define("payment_hyperpay.payment_hyperpay", function (require) {
                 theIframe.style = "display:none";
                 var html = script + shopperResultUrlTag;
 
-                let meta = `<meta http-equiv="Content-Security-Policy"
-                                t-attf-content="
-                                style-src 'self' https://*.oppwa.com 'unsafe-inline';
-                                frame-src 'self' https://*.oppwa.com;
-                                script-src 'self' https://*.oppwa.com https://src.mastercard.com https://p11.techlab-cdn.com 'nonce-${result.nonce}';
-                                connect-src 'self' https://*.oppwa.com;
-                                img-src 'self' https://*.oppwa.com;" />`
-
                 const url = getGeneratedPageURL({
                     html: html,
                     css: style_css,
                     js: js_script,
-                    meta: meta,
-                    nonce: result.nonce
                 });
                 theIframe.src = url;
                 $("#hyperpay-modal-body")[0].appendChild(theIframe);