#Nick137645

Is there somewhere I can reproduce this? Can you describe what you're doing to invoke these errors? Or share the code?

Also, checkout.js seems to be the script that is throwing the CSP errors – are you importing Stripe code directly in your project as opposed to using the CDN?

Hello, here the page https://account.carsoftwarepro.com/checkout

I get a 403 Forbidden

I need your ip address to give you access, currently I limit access via nginx configuration

Looks to me like you're trying to self-host checkout.js for the legacy Checkout integration. Which you should not be doing. Is that correct?

I won't be sharing my IP address

Ok but I can't give you access without opening my whole site to the public. Here is the code

Hmm, you mentioned that you have nginx locking down your server. Did you configure access to allow Stripe.js to communicate with our APIs? https://stripe.com/docs/ips#ip-addresses

Yes

allow 3.18.12.63; # Stripe
allow 3.130.192.231; # Stripe
allow 13.235.14.237; # Stripe
allow 13.235.122.149; # Stripe
allow 35.154.171.200; # Stripe
allow 52.15.183.38; # Stripe
allow 54.187.174.169; # Stripe
allow 54.187.205.235; # Stripe
allow 54.187.216.72; # Stripe
allow 54.241.31.99; # Stripe
allow 54.241.31.102; # Stripe
allow 54.241.34.107; # Stripe
allow 54.88.130.119; # Stripe
allow 13.112.224.240; # Stripe
allow 13.115.13.148; # Stripe
allow 13.210.129.177; # Stripe
allow 13.210.176.167; # Stripe
allow 13.228.126.182; # Stripe
allow 13.228.224.121; # Stripe
allow 13.230.11.13; # Stripe
allow 13.230.90.110; # Stripe
allow 13.55.153.188; # Stripe
allow 13.55.5.15; # Stripe
allow 13.56.126.253; # Stripe
allow 13.56.173.200; # Stripe
allow 13.56.173.232; # Stripe
allow 13.57.108.134; # Stripe
allow 13.57.155.157; # Stripe
allow 13.57.156.206; # Stripe
allow 13.57.157.116; # Stripe
allow 13.57.90.254; # Stripe
allow 13.57.98.27; # Stripe
allow 18.194.147.12; # Stripe
allow 18.195.120.229; # Stripe
allow 18.195.125.165; # Stripe
allow 34.200.27.109; # Stripe
allow 34.200.47.89; # Stripe
allow 34.202.153.183; # Stripe
allow 34.204.109.15; # Stripe
allow 34.213.149.138; # Stripe
allow 34.214.229.69; # Stripe
allow 34.223.201.215; # Stripe
allow 34.237.201.68; # Stripe
allow 34.237.253.141; # Stripe
allow 34.238.187.115; # Stripe
allow 34.239.14.72; # Stripe
allow 34.240.123.193; # Stripe

etc...

And the errors occur whenever you load the page? There's no specific action/code that triggers it?

Yes, every time, every time the page is displayed.

I can't find the reason

This is likely some kind of nginx/CSP config issue and I have no experience with nginx. Let me see if I can find somebody more familiar

thanks

Can you share your nginx CSP config?

Just the parts pertinent to Stripe

here

Not seeing any CSP headers? https://content-security-policy.com/examples/nginx/

Also, the error implies that nginx is actually blocking your checkout.js not a Stripe.js script

I am updating the list of ip stripe addreses and I restart the Nginx server

Ideally, you'd open up the site or host it somewhere else where we can access it temporarily

I updated the list of stripe IP addresses and rebooted the server. I still get the same error.

IP addresses are not related to this

sorry for any confusion there but that's not the issue

the issue is that your CSP is blocking your own site from loading its own script

I can't host my site anywhere else. If you give me an IP address (even a VPN) I can include it in the nginx configuration to let you in.

maybe try changing script-src https://js.stripe.com https://maps.googleapis.com to script-src 'self' https://js.stripe.com https://maps.googleapis.com or similiar? you need to allow your own 'self' source of scripts to load that checkout.js

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

I try your proposal

I integrated in the checkout.php page the JS code of the checkout.js page. I still get the same error.

what's the exact error?

The double <script> tag has been fixed in case you notice.

yes

Sorry, I mean, what is the exact error message you are seeing in your browser console? share it here please.

what happens if you entirely remove the <meta http-equiv="Content-Security-Policy" .... > tag?

Here are the errors if I delete this tag

so it loads fine but you have an actual error(the one about the string not being an expected format). Ignore the CSP warnings for now.

I'll have to take a break to take my wife to work and bring the car to the garage for service. I'll be back in an hour

hmm ok. We'll have closed the thread by then, sorry.

The problem is that the payment form does not load

ok, no problem

yep, so what I would suggest is removing that CSP header for now and focus on that error I mention about the string format

ok

I assume that's because you pass emailAddress as an empty string '' and not an actual email address in the confirmParams.

Thank you for your help. I will review this when I get back.