learner - CORS | Stripe Developers | Page 1

clever sun Jan 25, 2022, 6:27 PM

#

Hi 👋

#

What errors are you seeing?

#

What is the context?

turbid falcon Jan 25, 2022, 6:31 PM

#

While implementing https://helmetjs.github.io/ for security, we see errors like ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep

#

#

GET https://www.mydomainname.com/css/global/fonts/ProximaNova.css net::ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep 200

hollow yacht Jan 25, 2022, 6:44 PM

#

This seems to be a helmet-specific issues, not a Stripe-related one: https://github.com/helmetjs/helmet/issues/343

GitHub

After update issue ERR_BLOCKED_BY_RESPONSE · Issue #343 · helmetjs/...

I am getting this error after update net::ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep 200

turbid falcon Jan 25, 2022, 6:46 PM

#

Thanks Karbi. That helps

#

@hollow yacht So we always need to disable crossOriginEmbedderPolicy: false, in the Helmet config when using it with Stripe?

hollow yacht Jan 25, 2022, 7:01 PM

#

correct

steady jay Jan 27, 2022, 4:45 PM

#

hello again @turbid falcon -- re-opening this

#

You found another approach?

turbid falcon Jan 27, 2022, 4:47 PM

#

Yes, if Stripe starts providing Cross-Origin-Resource-Policy Header, we can avoid crossOriginEmbedderPolicy: false as it makes thing less secure. Can Stripe provide this header?

terse dove Jan 27, 2022, 4:51 PM

#

Hello! What specific content would you like to see us put in that header?

turbid falcon Jan 27, 2022, 4:55 PM

#

I think mere setting it should help resolve this?

terse dove Jan 27, 2022, 4:57 PM

#

Looking at that it sounds like it's a header you would need to set, not us. Have you tried setting that header on your server to cross-origin?

turbid falcon Jan 27, 2022, 5:05 PM

#

The message reads server needs to set the header. So the Server hosting Stripe.js would need to set the header?

terse dove Jan 27, 2022, 5:07 PM

#

I believe that's referring to the server hosting the website that's trying to use a cross-origin resource, which would be your server.

turbid falcon Jan 27, 2022, 5:08 PM

#

The StripeJS gets served to the browser client from Stripe server not ours

terse dove Jan 27, 2022, 5:14 PM

#

Right but your web page is the one being served to the browser client first, then your page tries to load Stripe.js, but if you don't have that header set it's going to cause issues with your configuration because Stripe.js is on a different origin than your site.

#

That's why it says "to use this resource from a different origin" in your screenshot. Your website's origin is different from Stripe.js' origin.

#

Is your server currently sending the Cross-Origin-Resource-Policy header? If so, what's the value?

turbid falcon Jan 27, 2022, 5:30 PM

#

it's set to same-origin on our end

terse dove Jan 27, 2022, 5:30 PM

#

Right, so that's the problem.

#

You're saying to the browser "only load stuff from the same origin" which is blocking Stripe.js because it's on a different origin.

#

You need to set that to cross-origin or stop setting that header to allow Stripe.js to load.

#

You can read more about that header and how it works here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP)

turbid falcon Jan 27, 2022, 5:41 PM

#

@terse dove I tried setting it to cross-origin-resource-policy: cross-origin still get the same error

terse dove Jan 27, 2022, 5:42 PM

#

The same exact error?

#

Is this online somewhere so I can take a look?

turbid falcon Jan 27, 2022, 5:43 PM

#

terse dove Jan 27, 2022, 5:43 PM

#

Wait, so that's the request to fetch Stripe.js... did it succeed? Is Stripe.js working on your site?

turbid falcon Jan 27, 2022, 5:44 PM

#

Sorry, in case you haven't read the above thread, this started when we introduced Content Security Policy on our end using Helmet

#

Without CSP or with crossOriginEmbedderPolicy: false it works well (Site is not live yet but only deployed on Dev environment behind firewall)

terse dove Jan 27, 2022, 5:46 PM

#

Yeah, as stated above crossOriginEmbedderPolicy: false is required to make this work. There's no header we could set that would override or change that.

turbid falcon Jan 27, 2022, 5:47 PM

#

As suggested by Chrome, if Stripe starts providing the header, this might go away?

terse dove Jan 27, 2022, 5:48 PM

#

The crossOriginEmbedderPolicy setting, when set to true, sets the Cross-Origin-Embedder-Policy header to require-corp which explicitly prevents loading resources from different origins: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy

#

Oh, actually, I think I'm mistaken. I'm not that familiar with the Cross-Origin-Embedder-Policy header, but looking into it it does seem like it would respect the header if we set it.

#

Hang on...

#

Apologies for misunderstanding earlier. This is actually being considered internally right now. I can't guarantee we'll implement it or give you a timeframe or anything like that, but we are looking into it.

turbid falcon Jan 27, 2022, 5:57 PM

#

Thanks @terse dove when should I ask this again?

terse dove Jan 27, 2022, 6:03 PM

#

I don't have a timeframe. I did flag that you asked about this internally, but I can't say when we'll have news. Maybe check again in a few weeks? It's not likely to change soon, so you'll need to keep that setting set to false for now.

turbid falcon Jan 27, 2022, 6:06 PM

#

Would it make a difference if we place a formal request with Stripe as we are a paid customer?

terse dove Jan 27, 2022, 6:07 PM

#

You can always make feature requests by writing in to support: https://support.stripe.com/contact/email

#learner - CORS