JasonG | Stripe Developers | Page 1

faint ploverBOT Nov 17, 2022, 2:44 AM

#

hearty hill Nov 17, 2022, 2:44 AM

#

hello! gimme a while to see what's possible

hearty hill Nov 17, 2022, 3:03 AM

#

it's not possible to add a CORS header, the only suggestion that I can give here is to use a CSP : https://stripe.com/docs/security/guide#content-security-policy

spice rain Nov 17, 2022, 4:31 AM

#

Thanks @hearty hill . I am already using a CSP, with script-src *.stripe.com, unfortunately that doesn't fix this, as CSP changes what the containing document (my site) will allow, but the lack of CORS header indicates that the embedded script (stripe.js) won't allow itself to be loaded, so the browser blocks it 😦.

Thanks for looking into this for me.

#

Just placing the actual error here for reference

molten basin Nov 17, 2022, 4:40 AM

#

Hi Jason. I am Jack and I work with Alex

#

Is there a webpage that I can visit to reproduce this error?

spice rain Nov 17, 2022, 4:42 AM

#

um... no, because the issue is only present on my development server. Our production servers do not use CSP because they do not currently use the browser features I'm trying to work with.

molten basin Nov 17, 2022, 4:43 AM

#

What browser feature are you working with? Is it a beta feature?

spice rain Nov 17, 2022, 4:44 AM

#

I'm working with mutli-threaded WASM, which requires CSP

#

I don't think it's a beta feature (at least in chrome) not sure about other web assembly implementations

molten basin Nov 17, 2022, 4:46 AM

#

Just double check if you have added script-src, https://js.stripe.com CSP directives?

spice rain Nov 17, 2022, 4:47 AM

#

script-src 'self' 'unsafe-eval' 'unsafe-inline' *.stripe.com cdn.jsdelivr.net blob:;

#

I'm new to CSP, but I had expected that to be sufficient

molten basin Nov 17, 2022, 4:48 AM

#

Did you also add the connect-src and frame-src?

spice rain Nov 17, 2022, 4:49 AM

#

frame-src 'self' js.stripe.com hooks.stripe.com;
connect-src 'self' api.stripe.com cdn.jsdelivr.net http://localhost:1337;

#

should connect-src include a broader (or otherwise different) stripe.com address?

molten basin Nov 17, 2022, 4:51 AM

#

Can you copy the exact configuration? e.g., including the https://

spice rain Nov 17, 2022, 4:51 AM

#

sure, give 2 minutes

#

here is my complete CSP config
default-src 'self' 'unsafe-inline' blob: data:;
font-src 'self' *.googleapis.com *.gstatic.com;
frame-src 'self' https://js.stripe.com https://hooks.stripe.com;
script-src 'self' 'unsafe-eval' 'unsafe-inline' https://js.stripe.com https://maps.googleapis.com cdn.jsdelivr.net blob:;
connect-src 'self' https://api.stripe.com https://maps.googleapis.com cdn.jsdelivr.net http://localhost:1337;
style-src-elem 'self' 'unsafe-inline' fonts.googleapis.com;
img-src 'self' blob: data: *.s3.ap-southeast-2.amazonaws.com *.s3-ap-southeast-2.amazonaws.com;

#

and the response from stripe.com/v3

#

I also have the following cross-origin policies
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: credentialless
Cross-Origin-Resource-Policy: cross-origin

molten basin Nov 17, 2022, 5:13 AM

#

Can you upload your working project somewhere public so that I can reproduce it?

spice rain Nov 17, 2022, 5:33 AM

#

I can work something out to make it reproducible, yes

#JasonG