#Sleepyhead

Is this your site with your code?

It is not but I just recently implemented CSP and I am following the Stripe documentation. According to the Stripe docs there is no frame-src. Amex SafeKey uses iframe for safekey-2.americanexpress.com. The Stripe CSP does not mention any frame-src

So I assume the same error would be in my implementation

AFAIK we haven't heard any reports about american express verification not working. Are you certain the site you are using is a site that uses Stripe for payments?

Yes it is using Stripe js v3 but I don't know more details. I can test this in my app. Is there any Amex test card that triggers SafeKey? The Stripe test 3DS cards seems to load stripe.com iframe

We have an american express test card: https://stripe.com/docs/testing#cards

This is for Norwegian AmEx cards btw, maybe US AmEx works differntly

Yes but it doesn't trigger SafeKey

What exactly is SafeKey?

Is it just their 3ds flow?

Yes it's like 3DSecure just less secure

it triggers their iframe and either validates automatically or customer has to enter code sent to both email and sms

I would assume this would be an issue with other 3DS iframe as well, but I would have to test in live mode as test mode just shows me stripe testing 3ds

Got it. Not seeing any reports of amex 3ds being broken on our end

Recommend reaching out to that site owner where you saw the issue

That way they can investigate and/or reach out to us if they believe it's a Stripe bug

I did, just worried about my app now. I am testing 3DS on my live app now

Looks like the site owner has frame-src none which causes the issue. Just setting frame-src js.stripe.com as pr docs works. Sorry for the confusion

No worries