From 0f41eb4df4cf7ef5425daee90e101c62f410dc6e Mon Sep 17 00:00:00 2001
From: Usman Baig <mubaig@pm.me>
Date: Thu, 26 Mar 2026 21:38:47 +0100
Subject: [PATCH] fix: allow mollie.js in CSP, hide app header on checkout page

---
 app/layout-content.tsx | 7 +++++++
 next.config.ts         | 6 +++---
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/app/layout-content.tsx b/app/layout-content.tsx
index ff50fae..42fc2ea 100644
--- a/app/layout-content.tsx
+++ b/app/layout-content.tsx
@@ -91,6 +91,8 @@ function LayoutInner({ children }: { children: React.ReactNode }) {
   const showOfflineBar = Boolean(auth.user && !isOnline)
   // Site pages use DashboardShell with full sidebar — no Header needed
   const isSitePage = pathname.startsWith('/sites/') && pathname !== '/sites/new'
+  // Checkout page has its own minimal layout — no app header/footer
+  const isCheckoutPage = pathname.startsWith('/checkout')
 
   if (isSwitchingOrg) {
     return <LoadingOverlay logoSrc="/pulse_icon_no_margins.png" title="Pulse" portal={false} />
@@ -113,6 +115,11 @@ function LayoutInner({ children }: { children: React.ReactNode }) {
     )
   }
 
+  // Checkout page: render children only (has its own layout)
+  if (isAuthenticated && isCheckoutPage) {
+    return <>{children}</>
+  }
+
   // Authenticated non-site pages (sites list, onboarding, etc.): static header
   if (isAuthenticated) {
     return (
diff --git a/next.config.ts b/next.config.ts
index f4d7991..1070da7 100644
--- a/next.config.ts
+++ b/next.config.ts
@@ -11,13 +11,13 @@ const withPWA = withPWAInit({
 const cspDirectives = [
   "default-src 'self'",
   // Next.js requires 'unsafe-inline' for its bootstrap scripts; 'unsafe-eval' only in dev (HMR)
-  `script-src 'self' 'unsafe-inline'${process.env.NODE_ENV === 'development' ? " 'unsafe-eval'" : ''}`,
+  `script-src 'self' 'unsafe-inline' https://js.mollie.com${process.env.NODE_ENV === 'development' ? " 'unsafe-eval'" : ''}`,
   "style-src 'self' 'unsafe-inline'",
   "img-src 'self' data: blob: https://www.google.com https://*.gstatic.com https://ciphera.net",
   "font-src 'self'",
-  `connect-src 'self' https://*.ciphera.net https://ciphera.net https://www.google.com https://*.gstatic.com https://cdn.jsdelivr.net${process.env.NODE_ENV === 'development' ? ' http://localhost:*' : ''}`,
+  `connect-src 'self' https://*.ciphera.net https://ciphera.net https://www.google.com https://*.gstatic.com https://cdn.jsdelivr.net https://*.mollie.com${process.env.NODE_ENV === 'development' ? ' http://localhost:*' : ''}`,
   "worker-src 'self' blob:",
-  "frame-src 'none'",
+  "frame-src https://*.mollie.com",
   "object-src 'none'",
   "base-uri 'self'",
   "form-action 'self' https://*.ciphera.net",