Menu
I have recently moved from stripe.js v2 to stripe.js v3 / elements. As part of this, I am recieving new CSP errors. These don't seem to be causing stripe to fail, but I would like to understand them:
Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src"). Source: ;undefined.
elements-inner-card-15fb9df8718486f330c3990dde96bfd7.html:1
Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src"). Source: ;undefined.
controller-3984d4085075df939703ec0d22159407.html:1
Both elements-inner-card-15fb9df8718486f330c3990dde96bfd7.html and controller-3984d4085075df939703ec0d22159407.html are from stripe. What I don't understand is the script-src of undefined?
How can a script-src be undefined? A <script> element generally had a src , if not it's unsafe-inline. What does undefined mean?
How can I modify my CSP to allow Stripe v3?
Edit: the error only seems to occur on Firefox, when using LastPass. Chrome does not show this error, nor does Firefox with Addons Disabled.
890
To allow inline scripts and inline event handlers, 'unsafe-inline' , a nonce-source or a hash-source that matches the inline block can be specified. Alternatively, you can create hashes from your inline scripts. CSP supports sha256, sha384 and sha512.
The src attribute specifies the URL of an external script file. If you want to run the same JavaScript on several pages in a web site, you should create an external JavaScript file, instead of writing the same script over and over again.
If the application is using angular JS and scripts are loaded from a whitelisted domain. It is possible to bypass this CSP policy by calling callback functions and vulnerable class.
The unsafe-inline option is to be used when moving or rewriting inline code in your current site is not an immediate option but you still want to use CSP to control other aspects (such as object-src, preventing injection of third-party js etc.).
For those ending up here like me, the solution was different than "disabling addons".
Context: I'm using stripe in React and I use react-stripe-elements to do it. The CSP error came when I was doing this:
<form>
{loading ? <Spinner /> : <CardElement /> }
</form>
It seems that the dynamic mounting/unmounting does not go well there. I changed it like that:
<form>
<div className={classnames({hidden: !loading})}><Spinner /></div>
<div className={classnames({hidden: loading})}><CardElement /></div>
</form>
With the corresponding CSS for hidden of course and the error went away.
Hope it helps some lost souls :)
189
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
