mattcomroe_code | Stripe Developers | Page 1

maiden talonBOT Apr 29, 2025, 3:03 PM

#

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1366791943274889237

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

#

upper thistle Apr 29, 2025, 3:05 PM

#

this is where i get the CSP error

silver wraith Apr 29, 2025, 3:06 PM

#

Hello, looking in to this. What does "javascript control" in "Stripe Payment Element javascript control" mean? Is that a wrapper that someone wrote for the payment element? Or a variant of ours that I'm not immediately recognizing? Or something else?

upper thistle Apr 29, 2025, 3:08 PM

#

not a wrapper; trying to load up the Stripe JS Payment Element. It only seems to be a problem with the bank authentication; CC additions and putting in Bank account numbers seems to work fine.

#

so, everything below the words "Card number" in the most recent screen shot, or below "new bank account" in my first screenshot is the Stripe JS control.

silver wraith Apr 29, 2025, 3:11 PM

#

"control" just meaning something mounted from Stripe.js basically? Just making sure I'm not making assumptions on terminology

upper thistle Apr 29, 2025, 3:11 PM

#

yes, that is correct.

silver wraith Apr 29, 2025, 3:17 PM

#

Still looking in to this. Do you have the rest of our CSP recommendations included as well?
https://docs.stripe.com/security/guide?csp=csp-js#content-security-policy

upper thistle Apr 29, 2025, 3:18 PM

#

oh! i was not aware that you had CSP guidelines; that's definitly helpful.. thank you for that link!

silver wraith Apr 29, 2025, 3:19 PM

#

Yep, definitely a good doc. We don't mention frame-ancestors at all there though, so I am trying to figure out how that is coming in to play (and if we need to update the doc)

upper thistle Apr 29, 2025, 3:21 PM

#

thank you for looking into it! i appreciate you.

#

oh, i also wanted to point out that initially we had no CSP rules applied; it was only after seeing the error that I tried to add the IIS config item that i put in my initial comments. So all the other functionality of the Payment Element was fine except for that secondary authentication/confirmation for ACH Payment Method setup.

silver wraith Apr 29, 2025, 3:37 PM

#

Gotcha, and with the CSP rules from that doc does anything change?

upper thistle Apr 29, 2025, 3:38 PM

#

I will need to try that out again after we're done chatting here. I need someone in a different department to make those changes on the web server for me (annoying for debugging for sure).

#

i was hoping to find out if this was something you had seen before, if the syntax on my one CSP rule looks right (clearly need to include more rules), etc.

maiden talonBOT Apr 29, 2025, 3:48 PM

#

fallen osprey Apr 29, 2025, 4:01 PM

#

👋 Taking over this thread, catching up now

upper thistle Apr 29, 2025, 4:02 PM

#

Thanks, river!

fallen osprey Apr 29, 2025, 4:15 PM

#

I couldn't spot anything that doesn't look right at the moment. Could you try adding the CSP directive listed in the doc my colleague Pompey shared earlier. If it still doesn't work, it'll be helpful to share your development website with the issue, so that we can take a look how the CSP is configured

upper thistle Apr 29, 2025, 4:16 PM

#

ok; i can do that! i just found it a little odd that we had no CSP directives in place and everything worked except this one thing.

#

i'm mildly concerned about the issues that putting CSP rules in place might have since we weren't running them before. But that's why we have test environments, right? 😄

#

but i will go off and try that, and we can close out this thread.

fallen osprey Apr 29, 2025, 4:21 PM

#

This is indeed strange that https://connections-auth.stripe.com fails to load due to CSP without any directives being set up previously. Could you share the development website in this case, so that I can take a look?

Stripe Login | Sign in to the Stripe Dashboard

Sign in to the Stripe Dashboard to manage business payments and operations in your account. Manage payments and refunds, respond to disputes and more.

upper thistle Apr 29, 2025, 4:30 PM

#

unfortunately i can't. the issue is only present when running IOS because of the way internal URLS are handled (it's something other than https on the device or something)... you would only be able to see the issue on a development copy of our iOS app.

#

the underlying web code would work fine in a desktop browser or android; we serve up that page for IOS a little differently.

fallen osprey Apr 29, 2025, 4:35 PM

#

Ah I see! That might be additional CSP validation in that page for iOS specifically since same page works fine in the desktop browser and android

upper thistle Apr 29, 2025, 5:05 PM

#

possibly! is there anything i should be doing besides testing, seeing what CSP error comes back, adding that domain into my config, testing again, etc until it's working?

fallen osprey Apr 29, 2025, 5:09 PM

#

I can't think of a better way other than the one you suggested. Since the issue is only limited to the page in your iOS app, we don't have much visibility on how to troubleshoot the issue

upper thistle Apr 29, 2025, 5:11 PM

#

yeah i know this was a tough one to bring to you without a lot of visibility on your end so i really appreciate your efforts to help.

fallen osprey Apr 29, 2025, 5:12 PM

#

No problem! Happy to help 😄

#mattcomroe_code