#sushbhat-payment-intent

👋 Happy to help

Hello @patent briar

I haven't made any changes to the sample application available on stripe website, any idea about this issue?

Which language are you using?

its java backend and javsrcript/html on front end

I have downloaded it from here https://stripe.com/docs/payments/quickstart

Checking it now

thanks

I tried from the sample and 3DS is working fine and able to redirect back successfully

Can you clear cookie/session and try again?

ok, let me try

its the same error

I tried on chrome and firefox

Did you modify anything from the sample code?

no

I actually tried running the python backend also, seeing same error there

Content Security Policy: The page’s settings blocked the loading of a resource at http://localhost:4242/checkout.html?payment_intent=pi_3LGcxaSCK3aL74Yq1KB1dXs1&payment_intent_client_secret=pi_3LGcxaSCK3aL74Yq1KB1dXs1_secret_GxOU5NDesFsZp8SmFZcTaJDYl&source_redirect_slug=test_YWNjdF8xTEFTcjRTQ0szYUw3NFlxLF9MeWE4QXBXaUdpaWdSRUU0MkhMdmthenBEeUN0SkRY0100enesXa5h&source_type=card (“frame-src”).

Can you try to add meta tag for Content Security Policy in checkout.html for frame-src [0] as mentioned here? https://stackoverflow.com/questions/67515492/stripe-connect-content-security-policy-issue

[0] https://stripe.com/docs/security/guide#content-security-policy

ok..

I have added meta tag like this
<meta http-equiv="Content-Security-Policy" content="
default-src ;
style-src 'self' 'unsafe-inline';
script-src * 'self' https://checkout.stripe.com 'unsafe-inline';
connect-src * 'self' https://checkout.stripe.com 'unsafe-inline';
img-src https://.stripe.com;
frame-src * 'self' https://checkout.stripe.com
;" >

but error persists

also whats the test card you used?

The example in SO question is not corrected. It's been corrected by the answer below. Can you check what CSP is in your current integration? https://stackoverflow.com/questions/64060894/trouble-with-content-security-policy/64068629#64068629

I used 4000000000003063 on the sample

yes, I changed the meta tag as per comment
<meta http-equiv="Content-Security-Policy" content="
default-src ;
style-src 'self' 'unsafe-inline';
script-src * 'self' https://checkout.stripe.com;
connect-src * 'self' https://checkout.stripe.com;
img-src https://.stripe.com;
frame-src * 'self' https://checkout.stripe.com https://hooks.stripe.com
;" >

I checked for one the url and CSP is this for me

content-security-policy
base-uri 'none'; connect-src 'self' https://api.stripe.com https://errors.stripe.com https://r.stripe.com; default-src 'self'; font-src 'none'; form-action https:; frame-src https:; img-src 'self' https://q.stripe.com https://qr.stripe.com; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self'; report-uri https://q.stripe.com/csp-report

Without adding CSP meta tag, do you see CSP header as well?

let me check

by right, there shouldn't be any CSP header from sample code

and any purticular url I need to check?
Because for another url i see csp like this
content-security-policy
base-uri 'none'; connect-src 'self' https://api.stripe.com https://errors.stripe.com https://r.stripe.com; default-src 'self'; font-src 'none'; form-action 'none'; frame-src 'self'; img-src 'self' https://q.stripe.com; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self' 'sha256-0hAheEzaMe6uXIKV4EehS9pu1am1lj/KnnzrOYqckXk='; report-uri https://q.stripe.com/csp-report

I'd suggest checking checkout.html after redirecting back from 3DS since it's where the issue occurs

ok

which test card are you using?

I am using 4000 0035 6000 0008

These are the urls invoked after authenticating 3ds, i don't see any checkout.html strangely

Just make sure we are looking at the same sample code, are you downloading for "Prebuilt Checkout page" or "Custom payment flow"?

"Custom payment flow"

there is one url though that stays in pending state https://q.stripe.com/csp-report

Am I right that you click Download full app from here?

yes

would you be available for a screen share session please?

Hi @winged bridge how do you run the python server?

export FLASK_APP=server.py
python3 -m flask run --port=4242

Did you execute the above command?

yes for python i did that, except its widows so I used 'set' instead of export
But I am mainly want run it in java, python i just checked to confirm error is nothing specific to language

Can you change return_url: "http://localhost:4242/checkout.html", to return_url: "http://127.0.0.1:4242/checkout.html", ?

ok

no, still error
Content Security Policy: The page’s settings blocked the loading of a resource at http://127.0.0.1:4242/checkout.html?payment_intent=pi_3LGe63SCK3aL74Yq09LIhQ3g&payment_intent_client_secret=pi_3LGe63SCK3aL74Yq09LIhQ3g_secret_Cjuzpc4A2KVt9SVzMdNggJK99&source_redirect_slug=test_YWNjdF8xTEFTcjRTQ0szYUw3NFlxLF9MeWJJeUFNM2UyM054NEtGZDRWUXNWcGZtc3c4ZlVF0100NCDoaCt6&source_type=card (“frame-src”).

What browser are you using? do you have any plugins installed in this browser?

I tried on chrome and firefox, firefox freshly installed so no plugins

I tried on vm also and host machine,

Can you capture the network traffic and send us the HAR file? https://support.google.com/admanager/answer/10358597?hl=en

wait I see a Forcepoint Endpoint extension installed

its work laptop, does that effect?

I never used that, can you disable and try again?

I checked now on a vm that doesn't have that extension, still same error. Let me share har file

Is there anyway to get a screen share session from stripe poc?

We can only support you via chat or email

Can you also share with us the console log?

ok

Thanks can you also take a screenshot of the console log so that I can know which one is error

ok

Thanks. I don't see any CSP directives in the network response. Can you try loading your webpage in another machine in the same network?

ok, I have tried on a vm and host machine for now

I have tried on a different macchine as well, no luck

I don't know from where these CSPs are being set

Refused to load the image 'data:image/png;base64,iVBORw0KGgo=' because it violates the following Content Security Policy directive: "img-src 'self'".

hooks.stripe.com/:1 Refused to frame 'http://localhost:4242/' because it violates the following Content Security Policy directive: "frame-src https:".

I tried creating a localhost https server and hosting the checkout page, then the 2nd error goes off, one related to frame src but first one realted to img-src stays

Did you try serving the webpage from a different machine?

yes

so far tried on 2 windows and 1 linux machine

That't indeed very strange.

Is it possible for you to host your webpage to a public URL so that we can reproduce the problem?