#kilian_error

👋 Welcome to your new thread!

⏲️ We'll be here soon! We typically respond in a few minutes, but in some cases we might need a bit more time (e.g., server's busy, you've got a complex question, etc.).

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1260543383672459348

📝 Have more to share? Add details, code, screenshots, videos, etc. below.

You are deploying a custom CSP policy ?

Originally we had no CSP deployed at all.
ATM whe have a CSP based on Stripes guides with additions to allow the other parts of the site to run

script-src * https://checkout.stripe.com https://*.js.stripe.com https://js.stripe.com 'self' 'unsafe-inline' 'unsafe-eval'; connect-src * https://checkout.stripe.com https://api.stripe.com 'self' 'unsafe-inline'; frame-src * https://checkout.stripe.com https://*.js.stripe.com https://js.stripe.com https://hooks.stripe.com 'self' 'unsafe-inline'; style-src * https://checkout.stripe.com https://*.js.stripe.com https://js.stripe.com  'self' 'unsafe-inline'; img-src * https://checkout.stripe.com 'self' 'unsafe-inline';```

CSP currently deployed

Are you missing some of these?
https://docs.stripe.com/security/guide?csp=csp-js#content-security-policy

The only ones not deployed would be those for Connect Emebedded.
The Checkout page uses Stripes React Elements and Stripe.JS, both of which are included in the CSP as per Stripe's guidelines

hi! I'm taking over this thread.

can you clarify if the error you saw has any impact of the payment flow? or is everything working as expected?

Payment aborts due to no 3DS getting done

AMEX card however did show the 3DS overlay, it's the VISA card we have that doesn't

using the Elements Checkout
is this the Payment Element or Checkout Session?

also can you share a PaymentIntent ID (pi_xxx) with this issue?

PaymenElement

We are using SetupIntents

got it. can you share a SetupIntent ID (si_xxx) then?

seti_1PaxyKCtMhNtiuzXdVMKL4Hf

FYI, if you open the source of the failure as reported by Chrome ( js.stripe.com/v3/three-ds-2-fingerprint-587e628d241b39cb5f89bbd29492bd67.html#intentId=seti_1PaxjuCtMhNtiuzXkZl038Jk&locale=de&hosted=false&referrer=https%3A%2F%2Fhellohair.com%2Fdashboard%2F&controllerId=__privateStripeController7371) directly, it also fails with the same error

thanks

to me it looks like the bank simply rejected that transaction, that's why 3DS is failing here.

The 3DS never appeared in the first place.
I can't fail without us never having even seen it.

To add, the SeTi shows next step to be a 3DS prompt by the SDK

We are in the middle of a soft launch, the error has never appeared with any of the 3DS test cards Stripe provides.
As we are in the EU, 3DS is mandatory

And it only happened with a VISA, a test with an AMEX did show the 3DS prompt as an overlay

This is Stripe's script getting called own it's own in a new tab

The two CSP errors are identical to the ones we are experienceing on our checkout page.

Can you please try the flow in an incognito window and/or disable all browser extensions?

Looking at this internally in the meantime

Will try

Looking at the underlying intent, it seems indeed that the issuer flat out rejected the authentication request and therefore there was no 3DS challenge flow. The message:

Ihre Zahlung war nicht erfolgreich. Bitte nutzen Sie zur Freigabe Ihrer Online-Zahlung die S-ID-Check-App.

But we should be handling that scenario garcefully

Can you share a screen recording of the issue, obfuscating the card data? Curious to see how the UI behaves

I can try

Thanks! Overall, the bank/issue rejected the auth for this card so the cardholder should speak to the bank about that

But Stripe.js should handle those scenarios so I've flagged it with the team internally to look at

It's just strange we never even were able to make an auth attempt

I'd understand it if the 3DS popped up and we failed it, but it never showed up

Yep, can happen. The bank can just flat out refuse/decline the auth attempt which is what happened here

In basic terms we basically send a request 'we want to charge this card, can we?' and the issue/bank will respond with one of:

• Sure, go ahead (no auth)
• Sure, go ahead (frictionless flow)
• Sure, go ahead (challenge flow, like a OTP sent to an app or whatever)
• No, we're declining this payment

The latter is what seemingly happened here (shared the reason above). Now in that scenario Stripe.js should handle that decline accordingly

Here is what happenes.
The captach was the first time it showed anything, but it stilled failed with the CSP errors

thanks, I'll share that video with the team.

Thanks.
Is there any way for us atm to somehow tell the user something went wrong?

what do you mean? next steps would be to contact the users so that their either: contact their bank to explain why they declined the payment, or simply try a different payment method.

What I meant is if there is a state that this failure returns that we can use (w/o hooks)

you mean display something on the UI that the payment failed, becasue currently nothing is shown in the Payment Element?

Yes

this guide shows how to handle errors when confirming the PaymentIntent: https://docs.stripe.com/payments/accept-a-payment?platform=web&ui=elements#web-submit-payment

It is a setup intent

the same idea applies

It fails long before any payment intent even is created