fon | Stripe Developers | Page 1

velvet escarpBOT Jun 21, 2023, 3:41 PM

#

terse gulch Jun 21, 2023, 3:42 PM

#

Thanks for the report, checking in to this. Do you know around when this started happening?

weary steeple Jun 21, 2023, 3:43 PM

#

no clue, just noticed now

#

Got this in the console:

dashboard:1 [Report Only] Refused to load the image 'https://assets.ourcompany.com/logos/favicon.svg' because it violates the following Content Security Policy directive: "img-src https://dashboard.stripe.com https://dashboard-admin.stripe.com https://connect.stripe.com https://t.stripe.com https://b.stripecdn.com data: blob: https://stripe-images.s3.amazonaws.com https://s3.amazonaws.com/stripe-uploads/ https://files.stripe.com https://d1wqzb5bdbcre6.cloudfront.net https://stripe-camo.global.ssl.fastly.net https://stripe-images.s3.us-west-1.amazonaws.com https://stripe-underwriting-documents.s3.us-west-1.amazonaws.com https://prod-identity-product-uploads-us-west-2.s3.us-west-2.amazonaws.com https://checkout.stripe.com https://stripe-upload-api.s3.us-west-1.amazonaws.com https://stripe-paper-checks-images.s3.us-west-2.amazonaws.com https://support-ticket-data-prod.s3.us-west-2.amazonaws.com https://cdn.stripeextensions.com https://qr.stripe.com https://assets.ourcompany.com/logos".

terse gulch Jun 21, 2023, 3:44 PM

#

I am less familiar with how this manifest works. Where is "data blob:"? In the manifest or somewhere else?

weary steeple Jun 21, 2023, 3:44 PM

#

even though in stripe-app.json we have it in here:

  "image-src": ["https://assets.ourcompany.com/logos"],

velvet escarpBOT Jun 21, 2023, 3:45 PM

#

terse gulch Jun 21, 2023, 3:45 PM

#

So "data blob:" is not something you are setting or doing, it is just how Stripe is using that image?

weary steeple Jun 21, 2023, 3:46 PM

#

correct

#

we haven't updated our App in a couple of months

terse gulch Jun 21, 2023, 3:54 PM

#

Still looking in to this. Have you checked this across multiple browsers or devices?

weary steeple Jun 21, 2023, 4:22 PM

#

nope, just Chrome

balmy hearth Jun 21, 2023, 4:24 PM

#

👋 stepping in here

#

Catching up

velvet escarpBOT Jun 21, 2023, 4:30 PM

#

balmy hearth Jun 21, 2023, 4:32 PM

#

Not too familiar with this so give me a few minutes.

dusky agate Jun 21, 2023, 4:35 PM

#

@weary steeple can you share a bit more context around your configuration so that I can find your Stripe App and see if anything changed recently?
The easiest would be to share some non sensitive id from your own account like a recent API Request id req_123 so that I can have a look

#

Also can you confirm where you see this happen? Is it straight in the Dashboard on one of our pages?

#

@weary steeple are you still around?

weary steeple Jun 21, 2023, 4:56 PM

#

yep, I can share that ,sorry

#

the app is https://marketplace.stripe.com/apps/revenuecat

dusky agate Jun 21, 2023, 5:04 PM

#

thanks

#

@weary steeple okay I think you need a trailing slash at the end of that image-src in your stripe-app.json

#

but we're looking into improvements on our end too for this

weary steeple Jun 21, 2023, 5:15 PM

#

ok, will try that, thanks

dusky agate Jun 21, 2023, 5:18 PM

#

Sure! sorry about the trouble. We've been noticing CSP errors but hadn't been able to track it down properly just yet so your report helped connect the dots

velvet escarpBOT Jun 21, 2023, 5:18 PM

#

#fon