admin管理员组

文章数量:1399796

Even By using meta tags, It is still showing error and Iframe is not working

<meta http-equiv="Content-Security-Policy" content="
         default-src *; 
         style-src 'self'  'unsafe-inline'; 
         script-src * 'self'  'unsafe-inline' 
         connect-src : * 'self'   'unsafe-inline' 
         frame-src : * 'self'    'unsafe-inline' 
         'unsafe-eval' 
         ;" >

Link reference :

Error : Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”)

Also I used header() to set this up, but that also didn't worked. Any Help will be appreciated

Even By using meta tags, It is still showing error and Iframe is not working

<meta http-equiv="Content-Security-Policy" content="
         default-src *; 
         style-src 'self'  'unsafe-inline'; 
         script-src * 'self' https://checkout.stripe. 'unsafe-inline' 
         connect-src : * 'self' https://checkout.stripe.  'unsafe-inline' 
         frame-src : * 'self'  https://checkout.stripe.  'unsafe-inline' 
         'unsafe-eval' 
         ;" >

Link reference : https://stripe./docs/security/guide#content-security-policy

Error : Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”)

Also I used header() to set this up, but that also didn't worked. Any Help will be appreciated

  • javascript
  • php
  • stripe-payments
  • content-security-policy
Share Improve this question edited May 13, 2021 at 8:07 armin asked May 13, 2021 at 7:31 arminarmin 3066 silver badges19 bronze badges
Add a ment  | 

2 Answers 2

Reset to default 4

Your CSP has a lot of errors:

  1. You have missed semicolons ; to separate script-src / connect-src / frame-src directives lists.

  2. : is nor required in the connect-src : * ... and in the frame-src : * ...

  3. Remove 'unsafe-inline' and 'unsafe-eval' from the connect-src and frame-src directives, those are not supported there

  4. The * (asterisk) covers any host-sources like https://checkout.stripe. and wss://checkout.stripe.

BUT these are not significant, these just leads the CSP you have really is:

default-src *; 
style-src 'self'  'unsafe-inline'; 
script-src * 'self' 'unsafe-inline' 'unsafe-eval'

This CSP restrict nothing except data:-Urls usage. Therefore the error:

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”)

cannot belong your CSP.
Looks like you already have CSP header published somewhere. Hence second CSP via <meta> or HTTP header does not have effect as expected.

Check what CSP header you really have got in browser, the tutorial is here.

Check web-server config in Nginx for add_header Content-Security-Policy ... or .htaccess file (if Apache) for Header set Content-Security-Policy ... presence.
Or maybe you have installed some plugins for managing CSP headers.

You're missing img-src https://*.stripe. described in the Stripe documentation.

Also the asterisk character alone doesn't work as "any resource" (example of incorrect use in your code: default-src *). You need to use it as part of the <host-source> (e.g. *.example.). See MDN docs for more details.

本文标签: javascriptStripe ConnectContent Security Policy issueStack Overflow

版权声明:本文标题:javascript - Stripe Connect : Content Security Policy issue - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744226690a2596125.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。