#toxiCity

Hi there!

Hey Man!

Can you clarify what are you doing when you see this error?

I deployed to production and gets this error whenever I am loading the card payment setup

What is "card payment setup"? How are you integrating with Stripe exactly? Are you using the Payment Element? https://stripe.com/docs/payments/accept-a-payment?platform=web&ui=elements

Whenever I am loading this element

Got it, this is the Payment Element. So it displays properly on the page, but you get errors in the console?

on production this element doesnt load

it only works on development

Hello?

Thanks, for the information! Give me a few minutes to look into this.

ok

Thanks

🤔

Hi there 👋 I'm jumping in as my teammate needed to step away. Please bear with me a moment while I catch up on the context here.

ok

Is the site where you're seeing this publicly accessible, and if so could you share a link to it?

try this

http://3.83.193.123/accounts/set_password/3F631FE521A89E5372DD1E6DCB27D8B8436DE9DDE2848F23E549A2B90B2A6061

I tried setting Content-Security-Policy meta on index.html on the react app

also tried connect.js.stripe and so on but still doesnt work

Looks like that page is behind a login wall

Just create a sample password

This is for our client registration process

Is that page accessible over https?

not yet

this is a test environment and we are not yet connecting to prod domain

Okay, the errors I'm seeing here don't match the ones that you shared initially. Earlier in the thread you mentioned that you deployed to production, is this that site?

yes

What error are you seeing now?

what browser are you using?

Chrome

I am using firefox

either way, it still doesnt load the payment element

Do you know what I can do to fix this?

I'm not sure off-hand (sorry, CSP is not one of my strong points) but I do think it's related to the CSP policy not getting set correctly as I'm seeing errors being raised about your site not being able to load it's own resources.

Can you connect me to someone who knows how to handle this?

I've asked a teammate that is more familiar with React to take a look when they get a moment, but since it looks like this is impacting the loading of more than just Stripe resources the issue may be outside of our areas of knowledge.

Are you sure you don't have a conflicting policy somewhere? ie, if you disable the CSP entirely, do things work as expected?

In terms of the CSP itself, note that you'll also need hooks.stripe.com in the frame-src to manage redirected payment methods: https://stripe.com/docs/security/guide#content-security-policy

The missing frame-src might help explain some of the "refused to frame..." errors

I am using this as my meta data for csp

is there anything wrong with this implementation?

That's different than what you shared above (includes hooks) but it appears to include everything we note

I'm not a CSP expert, but I don't know if you can mix wildcards and explicit allowances

I tried multiple metadata but still getting the same results

Try removing the * on the lines with explicit sources

let me try

Hi still encountering the same issue

I think you need to then carefully review when and how your CSP is set and make sure you're getting the expected result. You can try public evaluator tools, eg: https://cspvalidator.org/
or browser-based tools for inspecting the parsed policy

But it sounds like the final policy you're getting isn't what you intend/expect

says here. that it's a valid policy

Do you have any other documentation I can refer to?

Are you sure? Notice the valid policy below doesn't show the frame-src rules

yes, I noticed it. I'm checking now.

will rebuild again

I don't think there is any Stripe-specific guidance we can offer, this seems like an issue with your application CSP that you need to dig into