#heildever

1 messages · Page 1 of 1 (latest)

tropic trellisBOT
modern osprey
#

Can you share the stripe-app.json content?

knotty tendon
#

Sure, the whole file?

modern osprey
#

Particularly the part that's erroring

knotty tendon
# 
      "connect-src": [
        "'self'",
        "https://api.partnerstack.com/api/integration-connections"
      ],
      "image-src": null,
      "purpose": "Enables PartnerStack Stripe App to communicate with the PartnerStack API."
    }
  },```
#

You see anything wrong?

modern osprey
#

Asking a colleague

#

Will get back to you

#

They said you need to remove 'self'. With apps you don't need that (unlike a website a stripe app is slightly different.

knotty tendon
#

I had 'self' on a previous version and the app was able to make requests, the HTTP requests are blocked since I removed 'self'

stable heron
#

hey there, just popping in to help, i was looking into this

#

Where is that request going? Is it blocked by CSP specifically?

knotty tendon
#

We had to remove 'self' because we werent able to upload our new version

#

Now these requests, going to our own backend, are being blocked. There are no changes the config and the backend. I can also confirm that the requests work fine locally as soon as I put self back

#

Leads me to think removing self causes requests to be blocked by CSP 🤔

stable heron
#

What's the complete URL of that request being blocked?

knotty tendon
#

Url is defined under 'self' in content-src, json I posted above

stable heron
#

Can you show that on the blocked request for posterity?

#

Just want to make sure there isn't a mismatch

knotty tendon
stable heron
#

Can you try removing the content_security_policy and re-adding via CLI?

knotty tendon
#

With or without 'self'?

stable heron
#

And does it work when running locally using stripe apps start to test?

knotty tendon
#

yup

stable heron
#

without, just using stripe apps grant url "https://api.partnerstack.com/api/integration-connections" "Send data to backend service..."

knotty tendon
#

Giving this a try

#

No difference

image.png
stable heron
#

And this block happens while testing with it running locally?

knotty tendon
#

uh huh

#

Well the same version, with the same json is also deployed

stable heron
#

I think the best course right now is to write in to our support team with the two specific versions and this self CSP difference along with this example request blocking.
https://support.stripe.com/contact
This seems like its unexpected, or that the CSP you configure is not being applied as expected.

Stripe: Help & Support

Find help and support for Stripe. Our support site provides answers on all types of situations, including account information, charges and refunds, and subscriptions information. Get your questions answered and find international support for Stripe.

#

This is producing a CSP error in the console, too?

knotty tendon
#

I dont understand how I was able to upload a version with 'self' in the manifest, now the same config doesnt work

stable heron
#

If its blocked by CSP, there should be an explicit console message saying so

#

I'm not sure either! I would say you should include both versions of that aprt of your config, and indicated what happens in each case

#

(previous version with self works, new version can't be uploaded with self, request seems to be blocked without it etc)

knotty tendon
#

Sounds good