Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Django stripe js blocking of inline script

Tags:

firefox

django

content-security-policy

stripe-payments

inline-scripting

I'm trying to implement stripe payment system in Django. For adding card payments, I followed the guide in this link. After adding HTML markup in Django template and CSS and JS code as separate static files, I got the following console error in Firefox:

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”)

What I understand from above error message is that, <script src="https://js.stripe.com/v3/"></script> JS file contains links to other JS files and Firefox blocks such connections. It should be noted that, at this stage test credit card payment is working as expected and amount debited by client is added to my stripe account's test balance. To address this blocking problem, I followed the instructions in this link. As such, I added following meta tag to my Django template:

<meta http-equiv="Content-Security-Policy" content="connect-src https://api.stripe.com; frame-src https://js.stripe.com https://hooks.stripe.com; script-src https://js.stripe.com" />

After adding above Content-Security-Policy directives, Firefox console no longer shows aforementioned blocking errors, but this time my static JS files are blocked. I have modified directives as below for allowing my JS files (added 'self' to 'script-src' directive):

<meta http-equiv="Content-Security-Policy" content="connect-src https://api.stripe.com; frame-src https://js.stripe.com https://hooks.stripe.com; script-src 'self' https://js.stripe.com" />

And this time before mentioned inline-script block error reappeared in Firefox console. :)

Can you help me for this issue? Is my understanding correct regarding the cause of Firefox console error? Why implemented solution is not working?

EDIT

Can it be simply Firefox bug, considering that payment is working as expected and Chromium browser does not log any error on developer tools?

like image 443
Elgin Cahangirov Avatar asked Sep 22 '19 20:09

Elgin Cahangirov

Video Answer

1 Answers

According to Mozilla's docs on Content-Security-Policy, there are tons of other security policies, and if your js/css files require one of those to be set, they will be blocked.

Luckily, there is an easy fix, default-src. From the aforementioned docs:

The HTTP Content-Security-Policy (CSP) default-src directive serves as a fallback for the other CSP fetch directives. For each of the following directives that are absent, the user agent will look for the default-src directive and will use this value for it:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; ...

Note that default-src only applies to fetch directives, so you may need to add a few policies that your page requires.

Also, you will need to specify self for each policy that you define, because firefox will only look to the default-src when a required policy is null.

So if you have a policy like this:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src http://example.com;">

You will exclude yourself from the script-src policy, but you should be covered by all the other policies, with the exception of the policies that look to script-src as a backup before looking to default-src (eg script-src-elem).

Unfortunately, this also extends to all dependencies that your script has, such as bootstrap or jQuery. each dependency will need to be explicitly referenced in each policy that they require.

If only someone had a package to simplify this process...

Lastly, this answer was an excellent resource for learning about Content-Security-Policy.

Edit

To give you the exact Content-Security-Policy that your page requires, I would need to see the error messages you received. That being said, here is a guess, given the information I have (with line breaks for readability):

<meta http-equiv="Content-Security-Policy" content="
default-src 'self'; 
connect-src 'self' https://api.stripe.com; 
frame-src 'self' https://js.stripe.com https://hooks.stripe.com; 
script-src 'self' https://js.stripe.com 'unsafe-inline'
"  />

You should not add line breaks to the policy in your actual code, instead write it like this:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; connect-src 'self' https://api.stripe.com; frame-src 'self' https://js.stripe.com https://hooks.stripe.com; script-src 'self' https://js.stripe.com 'unsafe-inline'"/>
like image 192
Lord Elrond Avatar answered Oct 13 '22 00:10

Lord Elrond
Sign in to Comment

Related questions

Case-insensitive search on a postgres ArrayField with django
Django migration being killed
Django: Using named parameters on a raw SQL query
Singledispatch based on value instead of type
Can i use celery without django
manage.py collectstatic: error: unrecognized arguments: --noinput in shell script launched by Docker
'Operation Denied' Error when deploying an Elastic Beanstalk app using awsebcli
How do I test a method in Django which closes the database connection?
Django-Rest-Framework: Paginate nested object
Parameter order for unittest.TestCase.assertEqual
Django - an equality check in annotate-clause
django.db.utils.OperationalError: cannot ALTER TABLE "forum_thread" because it has pending trigger events
"django.contrib.admin.sites.NotRegistered: The model User is not registered" I get this error when a want to register my Custom User.
Where should the forms.py file be located?
How to login a user during a unit test in Django REST Framework?
How to use telethon in a thread
User model other than AUTH_USER_MODEL in Django REST Framework
Sending and receiving signals in django models
Difference between django.core serializers and Django Rest Framework serializers
How to use django filter_fields with ArrayField in DRF

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!