oleg_csp-bug | Stripe Developers | Page 1

balmy minnowBOT May 29, 2024, 10:49 PM

#

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1245509389155303496

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

hot raven May 29, 2024, 10:50 PM

#

@rich sigil do you have a URL I can look at it live?

rich sigil May 29, 2024, 10:51 PM

#

It's on our checkout form; you would have to go through https://coda.io/signup?continueTo=%2Fpricing and click Upgrade, and open the Chrome console on the checkout page that has the Stripe Elements

#

#1182750600262328361 message

#

I saw you had helped with this in the past

hot raven May 29, 2024, 10:52 PM

#

yep that rings a bell

#

Can you give me a test account I can use? I'm not going to sign up for a real account with my real email

rich sigil May 29, 2024, 10:53 PM

#

One sec

hot raven May 29, 2024, 10:53 PM

#

sure! I'll flag internally in parallel

rich sigil May 29, 2024, 10:57 PM

#

Alright, you can go here to sign in: https://coda.io/signin/email

Email: coda.tables+stripetest@gmail.com
Password: stripetest12345!

Then once signed in, here's the direct link: https://coda.io/workspaces/ws-pOpdJmIfjH/upgrades/paymentMethod?selectedPlan=Pro&selectedTerm=ANNUAL

hot raven May 29, 2024, 10:58 PM

#

perfect, do you know when it started?

rich sigil May 29, 2024, 10:58 PM

#

I think about a couple hours ago

hot raven May 29, 2024, 10:59 PM

#

Do you know if this is linked to AddressElement on your page? I'm not clear from your code if you preload it or not

#

oleg_csp-bug

rich sigil May 29, 2024, 11:14 PM

#

Sorry - we use AddressElement and CardElement so probably one of those

hot raven May 29, 2024, 11:20 PM

#

thanks!

rich sigil May 29, 2024, 11:27 PM

#

Just took a look - https://docs.stripe.com/security/guide?csp=csp-js still doesn't say that js.stripe.js should be in connect-src, so this does seem unintentional.
While it's innocuous, it did start paging our SRE team due to all these errors and it's the second time there's a regression - would be great if y'all can put some safeguards in place once fixed so it doesn't keep happening 🙏

hot raven May 29, 2024, 11:28 PM

#

I'd recommend adding js.stripe.js in your CSP in that case. We definitely will investigate but we don't consider that error the kind of thing someone should page over at least (though I get why you would)

rich sigil May 29, 2024, 11:31 PM

#

Yup, we added it in our CSP for now again. We have alerts for elevated CSP violations in place just to make sure there aren't fatal issues that might prevent customers from being able to check out

#

Thanks for investigating

hot raven May 29, 2024, 11:31 PM

#

Sure thing and sorry for the hassle. I'll push internally to get this better implemented so that it doesn't leak regularly

rich sigil May 29, 2024, 11:32 PM

#

Np. It doesn't seem cause any functional issues. Thanks!

hot raven May 29, 2024, 11:52 PM

#

@rich sigil issue should be resolved!

#

thanks again for raising quickly and providing a repro 🙂

rich sigil May 29, 2024, 11:53 PM

#

Awesome, thanks!

#oleg_csp-bug