#cricket_unexpected

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1310991663287500921

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

Sorry, the error they are getting is "your organization doesn't allow you to view this site". (copy/pasted wrong text)

But they are getting the error "We recognize they must all share the same security company." which is hard to tell if this is a Stripe response or blocker response.

ah, yes, i was just about to ask

Where is that error observed?

One moment and I will send a screenshot

This sounds like a potential network restriction they've put in place

Do you have one of these devices to test on?

Here is the cardElement

We have a customer with a Chromebook, but no one locally. We had our devs work over the weekend getting console logs and nothing stands out.

We definitely think it's their security company, but not sure why they would suddenly block it. It's many schools throughout the U.S., not just one customer.

Do you encounter any JS errors at runtime?

So, high level, the way Stripe.js and ELements works is via managed iframes

Only this

You load the js.strip.com/v3 resource, and when initialized it creates some iframes

then when you mount an element like cardElement.mount("#card-element")

it injects another iframe in that host dom element

these iframes are also hosted at js.stripe.com

It seems unexpected that the restriction would let you load the stripe.js resource but not the card element iframe, which both come from the same domain

Yeah exactly, they can access js.stripe.com directly, which loads the js. I'm thinking maybe it has to do with cross-origin iFrames. Does Stripe rely on cookies at all to load the elements?

(you'd have encountered other runtime errors trying to initialize/use stirpe.js if the resource fialed to load)

There are some essential cookies used, yes

But they aren't a strict dependency for loading/rendering an element as far as i know

Do you know when this issue started?

I assume it was working previously, but can you confirm that?

It was first reported last Tuesday. We told that first customer that is was clearly their network/school blocking it. But then this weekend we had 9 other reports (various geographics across the nation).

Yup has been working fine for as long as we have been using Stripe!

ok thanks for confirming

Also, if we tell them to switch to Edge or Safari, it works fine...

Oh really

I see a number of extensions/plugins in that chrome screenshot

Yeah we told them to turn off all extensions and also try incognito. No luck.

One had both a Chromebook and Windows (Chrome browser), and didn't work on both.

Do you have a CSP set up?

https://docs.stripe.com/security/guide?csp=csp-js

Interesting...I don't recognize this code. We went off of the basic element installation instructions. Does this tell the browser exactly what needs to be allowed?

Going to send this to our chief architect to explore

It's possible the frame-src is a factor here, but you should see CSP violation errors in the console when that happens

I also found this report from last year using that error text you shared, but it links to a private/hidden issue: https://support.google.com/chrome/thread/228833811/after-updating-to-113-get-a-message-saying-your-organization-doesn-t-allow-you-to-view-this-site?hl=en

This is all good to know! We'll try out the CSP stuff and look over that thread to see if anything helps and report back if that does the trick (in case you have others report this in the future).

Where is the "your organization doesn't allow you to view this site" error seen? Is it the view/error inside that cropped card element iframe?

It seems most likely that this is due to firewall blocking, either at the network or device level

Which is weird if it works for other browsers

Just found this in the Chromium source code, which strongly suggests this is due to managed device policy applied via Chrome/google account management:

  <message name="IDS_ERRORPAGES_SUMMARY_BLOCKED_BY_ADMINISTRATOR" desc="Summary in the error page when an administrator policy blocks a request.">
    Your organization doesn’t allow you to view this site
  </message>

from: https://github.com/chromium/chromium/blob/530db4bc7e93d6da1bf0c6d81d35344dd6a012c2/components/error_page_strings.grdp#L263