CSP not working | Tauri Apps | Page 1

small canyon Apr 23, 2024, 7:28 PM

#

I have in tauri.conf.json "default-src 'self'; script-src 'self' https://js.stripe.com/v3; connect-src 'self' ws:; img-src https://* data:; frame-src 'self' https://js.stripe.com/v3/*; child-src 'self' js.stripe.com; font-src 'self'; style-src-elem 'self'; style-src 'self'; upgrade-insecure-requests";

Yet I keep seeing these errors when building the app (npm run tauri build)

[Error] Refused to load https://js.stripe.com/v3/controller-with-preconnect-beecccfc8d2d565628a0ac8e67601c4a.html because it does not appear in the frame-src directive of the Content Security Policy.
[Error] Refused to load https://js.stripe.com/v3/m-outer-3437aaddcdf6922d623e172c2d6f9278.html because it does not appear in the frame-src directive of the Content Security Policy.

Unless I'm not seeing something, js.stripe.com is in the frame-src

small canyon Apr 24, 2024, 9:21 AM

#

Looks like partial regex doesn't work

#

Only works if I specify the full URL or just allow everything in frame-src

elder glen Apr 24, 2024, 9:22 AM

#

That's what i thought too but Mdn made it sound like it's supposed to work 🤔

#CSP not working