#silvpol

👋 happy to help

please move your messages to this thread so we can keep it all contained in one place

I will be with you shortly

ok

we already added recommended CSP entries to our page, but these seem to come from Stripe iframe

are these benign or is something still missing?

I can't se option to move, just copied them in and removed originals

CSP for our page:

content-security-policy
default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' js.stripe.com www.recaptcha.net www.gstatic.com/recaptcha/ www.google-analytics.com ssl.google-analytics.com platform.twitter.com connect.facebook.net sdk.snapkit.com; connect-src 'self' api.pwnedpasswords.com www.google-analytics.com api.stripe.com wss://uk.givergy.com ipinfo.io api.snapkit.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com js.stripe.com; img-src 'self' data: blob: *.givergy.com www.google-analytics.com www.facebook.com m.facebook.com *.ytimg.com; font-src 'self' data: fonts.gstatic.com snapnet-cdn.storage.googleapis.com/fonts/; frame-src 'self' js.stripe.com hooks.stripe.com www.recaptcha.net platform.twitter.com www.youtube.com docs.google.com player.vimeo.com vimeo.com www.facebook.com m.facebook.com; form-action 'none'; frame-ancestors 'none'; upgrade-insecure-requests; report-uri https://givergy.uriports.com/reports/report

please bear with me a moment to read through

is this in live mode?

yes

we also have HAR file for requests

ok does it always happen or particularly with a 3DS from a specific issuing bank?

can't say oif it's always same but all the cases I know about are Barclaycard

many of aour clients are corporates so would be fair assumption that failing cards are corporate

this erorr seems to be in Stripe page though

would that make a difference?

yes, the problem is with the 3DS page of the issuing bank which has the CSP policy

could you confirm to me how the 3DS loading process

works?

from my understanding

Strip.js loads iFRAME from Stripe API

/v3/three-ds-2-challenge-27648cca94cf9d28c3b6c842ef71baf6.html

then loads /v3/three-ds-2-fingerprint-517b15df373f06dfcff091b7f6420edf.html

which then loads banksfingerprint and challenge

is that roughly how it works?

the CSP issue seems to pop-up on three-ds-2-fingerprint- which is Stripe code

does it actually cause a user-facing error?

it's quite possible we have a small mistake in our CSP for the various domains involved in serving the experience, it can happen and we continue to polish things, but I would just ignore it/warnings in the console unless there is a user-facing problem

we're not sure, as the payment this relates to failed

rather than showing challenge page, 3DS went straight to failure page

what's the ID pi_xxx of the payment that failed then and I can have a look? I doubt it's anything to do with CSP

pi_3N3xw9LfrGdd2APc2P0mPzuS

sure, have a look

what happened there is there was a timeout at the ACS(the bank's 3D Secure server), which is a somewhat common error. I'd suggest the customer try a different card or contact their bank if the issue is persistent.

this seems to happen to specific customer, but they can use their card elsewehere

which made us looks for any integration/incompatibility issues

same customer tried several times on different days and contacted bank

pattern is consistent for given user, but happens only to small percentage

I doubt it's anything to do with the integration, since presumably your other customer's 3D Secure challenges work. All I can suggest is that what I mentioned above.
if you see this persistently you could write a detailed email to https://support.stripe.com/?contact=true with multiple failed PaymentIntents for that card and we might be able to dig in.

ok, thanks