peter-stripeapps-csp | Stripe Developers | Page 1

obtuse tartanBOT Feb 26, 2024, 6:59 PM

#

wet plinth Feb 26, 2024, 7:00 PM

#

Hi 👋

What's your specific question?

#

Does this have to do with the csp policies you set in the App manifest? https://docs.stripe.com/stripe-apps/reference/app-manifest

pearl raft Feb 26, 2024, 7:01 PM

#

Thanks for response. Everything works fine in dev mode locally but when I try to upload app, it tells me that Stripe domains are invalid in manifest for CSP.

#

yes ^^

wet plinth Feb 26, 2024, 7:02 PM

#

Okay. Are you developing with an extended manifest for local development?

#

Like we describe here: https://docs.stripe.com/stripe-apps/reference/app-manifest#extended-manifest

#

What URLs are you trying to use here?

pearl raft Feb 26, 2024, 7:03 PM

#

no just the stripe-app.json

#

"image-src": [
"https://*.stripe.com/links/"
],

#

doesn't like that ^

#

%2A is actually *

wet plinth Feb 26, 2024, 7:05 PM

#

Why aren't you specifying concrete links? I don't think CSP rules accept encoded characters.

pearl raft Feb 26, 2024, 7:05 PM

#

I have tried with various sub domains

#

error response is:

#

Request failed, status=400, body={
"error": {
"message": "3:Invalid CSP: "https://*.stripe.com/links/": Stripe domain not allowed.",
"request_log_url": "https://dashboard.stripe.com/test/logs/req_v8RsY9mewanDkf?t=1708973817",
"type": "invalid_request_error"
}
}

Stripe Login | Sign in to the Stripe Dashboard

Sign in to the Stripe Dashboard to manage business payments and operations in your account. Manage payments and refunds, respond to disputes and more.

wet plinth Feb 26, 2024, 7:06 PM

#

Okay, so the ask is "why is 'Stripe domain not allowed'"?

pearl raft Feb 26, 2024, 7:06 PM

#

ye

#

just want to display a Stripe hosted product image

wet plinth Feb 26, 2024, 7:06 PM

#

And if you don't include that, when you are testing locally, you get CSP errors when trying to load the image?

pearl raft Feb 26, 2024, 7:07 PM

#

correct

wet plinth Feb 26, 2024, 7:09 PM

#

The trouble is, when it's installed, the app will be running from a stripe.com space, essentially this: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#example_1

pearl raft Feb 26, 2024, 7:10 PM

#

so likely not an issue running in prod then leaving it out?

wet plinth Feb 26, 2024, 7:12 PM

#

What I would do to test and validate this, is install it on an External account like we document here: https://docs.stripe.com/stripe-apps/test-app.

That will still be in Test mode and not in production but will run on the Stripe Dashboard instead of proxy-ing from a local server on your dev machine. If you leave out the CSP rules and still get a CSP error when loading the images then we will likely need to file a case with Support to get a definitive answer (https://support.stripe.com/contact).

pearl raft Feb 26, 2024, 7:13 PM

#

ok great thanks

wet plinth Feb 26, 2024, 7:13 PM

#

You can create a brand new Stripe Account that is not activate (so it only works in Test mode) and then install the app there. That's what I've done to test out the installation flow

#

I think that answers your question for now so I'll close out this thread. If you have other questions about Stripe integrations feel free to ask in the #dev-help channel.

#peter-stripeapps-csp