科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>javascript - Stripe Connect : Content Security Policy issue - Stack Overflow

    javascript - Stripe Connect : Content Security Policy issue - Stack Overflow

    programmeradmin6浏览0评论

    Even By using meta tags, It is still showing error and Iframe is not working

    <meta http-equiv="Content-Security-Policy" content="
         default-src *; 
         style-src 'self'  'unsafe-inline'; 
         script-src * 'self'  'unsafe-inline' 
         connect-src : * 'self'   'unsafe-inline' 
         frame-src : * 'self'    'unsafe-inline' 
         'unsafe-eval' 
         ;" >

    Link reference :

    Error : Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”)

    Also I used header() to set this up, but that also didn't worked. Any Help will be appreciated

    Even By using meta tags, It is still showing error and Iframe is not working

    <meta http-equiv="Content-Security-Policy" content="
         default-src *; 
         style-src 'self'  'unsafe-inline'; 
         script-src * 'self' https://checkout.stripe. 'unsafe-inline' 
         connect-src : * 'self' https://checkout.stripe.  'unsafe-inline' 
         frame-src : * 'self'  https://checkout.stripe.  'unsafe-inline' 
         'unsafe-eval' 
         ;" >

    Link reference : https://stripe./docs/security/guide#content-security-policy

    Error : Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”)

    Also I used header() to set this up, but that also didn't worked. Any Help will be appreciated

    • javascript
    • php
    • stripe-payments
    • content-security-policy
    Share Improve this question edited May 13, 2021 at 8:07 armin asked May 13, 2021 at 7:31 arminarmin 3066 silver badges19 bronze badges
    Add a ment  | 

    2 Answers 2

    Reset to default 4

    Your CSP has a lot of errors:

    1. You have missed semicolons ; to separate script-src / connect-src / frame-src directives lists.

    2. : is nor required in the connect-src : * ... and in the frame-src : * ...

    3. Remove 'unsafe-inline' and 'unsafe-eval' from the connect-src and frame-src directives, those are not supported there

    4. The * (asterisk) covers any host-sources like https://checkout.stripe. and wss://checkout.stripe.

    BUT these are not significant, these just leads the CSP you have really is:

    default-src *; 
style-src 'self'  'unsafe-inline'; 
script-src * 'self' 'unsafe-inline' 'unsafe-eval'

    This CSP restrict nothing except data:-Urls usage. Therefore the error:

    Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”)

    cannot belong your CSP.
    Looks like you already have CSP header published somewhere. Hence second CSP via <meta> or HTTP header does not have effect as expected.

    Check what CSP header you really have got in browser, the tutorial is here.

    Check web-server config in Nginx for add_header Content-Security-Policy ... or .htaccess file (if Apache) for Header set Content-Security-Policy ... presence.
    Or maybe you have installed some plugins for managing CSP headers.

    You're missing img-src https://*.stripe. described in the Stripe documentation.

    Also the asterisk character alone doesn't work as "any resource" (example of incorrect use in your code: default-src *). You need to use it as part of the <host-source> (e.g. *.example.). See MDN docs for more details.

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论