From 33f97cdf9d6430b34264219bd50d9972ab8acac5 Mon Sep 17 00:00:00 2001
From: Abdurrahman Saber <a.saber@odex.sa>
Date: Wed, 3 Sep 2025 19:28:31 +0300
Subject: [PATCH] [FIX] applepay_fast_checkout, payment_hyperpay: use local
 jquery to prevent CSP violation

---
 .../applepay_fast_checkout/controllers/main.py           | 9 +++++++--
 .../applepay_fast_checkout/views/applepay_iframe.xml     | 8 ++++----
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/odex25_donation/applepay_fast_checkout/controllers/main.py b/odex25_donation/applepay_fast_checkout/controllers/main.py
index c68069d30..a691e6661 100644
--- a/odex25_donation/applepay_fast_checkout/controllers/main.py
+++ b/odex25_donation/applepay_fast_checkout/controllers/main.py
@@ -18,8 +18,13 @@ class ApplePayFastCheckout(Controller):
 
         integrity = requests.get(f'{url}/v1/fastcheckout/integrity').json().get('integrity', '')
 
-        response = request.render("applepay_fast_checkout.apple_pay_iframe", {'hyperpay_src': f"{url}/v1/paymentWidgets.js", 'merchant_id': acquirer_id.applepay_entity_id, 'nonce': nonce, 'integrity': integrity})
-        response.headers['Content-Security-Policy'] = "script-src blob: 'self' 'unsafe-inline' 'unsafe-eval' https://*; worker-src blob: 'self' 'unsafe-inline' 'unsafe-eval' https://*;connect-src 'self' https://* wss://*;frame-src 'self' blob: https://*;"
+        response = request.render("applepay_fast_checkout.apple_pay_iframe", {
+            'hyperpay_src': f"{url}/v1/paymentWidgets.js", 
+            'merchant_id': acquirer_id.applepay_entity_id, 
+            'script_nonce': nonce,  
+            'integrity': integrity
+        })
+        # response.headers['Content-Security-Policy'] = "script-src blob: 'self' 'unsafe-inline' 'unsafe-eval' https://*; worker-src blob: 'self' 'unsafe-inline' 'unsafe-eval' https://*;connect-src 'self' https://* wss://*;frame-src 'self' blob: https://*;"
 
         return response
 
diff --git a/odex25_donation/applepay_fast_checkout/views/applepay_iframe.xml b/odex25_donation/applepay_fast_checkout/views/applepay_iframe.xml
index cce1316f6..3e0d7d694 100644
--- a/odex25_donation/applepay_fast_checkout/views/applepay_iframe.xml
+++ b/odex25_donation/applepay_fast_checkout/views/applepay_iframe.xml
@@ -8,16 +8,16 @@
                     t-attf-content="
                     style-src 'self' https://*.oppwa.com 'unsafe-inline';
                     frame-src 'self' https://*.oppwa.com https://applepay.cdn-apple.com;
-                    script-src 'self' https://*.oppwa.com https://applepay.cdn-apple.com 'nonce-{{nonce}}';
+                    script-src 'self' https://*.oppwa.com https://applepay.cdn-apple.com 'nonce-{{script_nonce}}';
                     connect-src 'self' https://*.oppwa.com;
                     img-src 'self' https://*.oppwa.com;" />
 
                 <script t-att-src="hyperpay_src" t-att-integrity="integrity" crossorigin="anonymous" />
-                <script src="/web/static/lib/jquery/jquery.js" t-att-nonce="nonce" />
-                <script>
+                <script src="/web/static/lib/jquery/jquery.js" t-att-nonce="script_nonce" />
+                <script t-att-nonce="script_nonce">
                     merchant_id = "<t t-esc="merchant_id" />";
                 </script>
-                <script src="/applepay_fast_checkout/static/src/js/applepay_iframe.js" t-att-nonce="nonce"/>
+                <script src="/applepay_fast_checkout/static/src/js/applepay_iframe.js" t-att-nonce="script_nonce"/>
                 <link rel="stylesheet" href="/applepay_fast_checkout/static/src/css/applepay_iframe_content.css" />
             </head>
             <body>