Content Security Policy of your site blocks some resources

  • Resolved ceyhunyildiz

    (@ceyhunyildiz)


    3 years, 2 months ago

    After the last update of Woocommerce, this is the error we get on product pages where Apple Pay option exists.

    Error message displayed in Chrome:

    Some resources are blocked because their origin is not listed in your site's Content Security Policy (CSP). Your site's CSP is allowlist-based, so resources must be listed in the allowlist in order to be accessed.

A site's Content Security Policy is set either as via an HTTP header (recommended), or via a meta HTML tag.

To fix this issue do one of the following:
(Recommended) If you're using an allowlist for 'script-src', consider switching from an allowlist CSP to a strict CSP, because strict CSPs are more robust against XSS. See how to set a strict CSP.

Or carefully check that all of the blocked resources are trustworthy; if they are, include their sources in the CSP of your site. ??Never add a source you don't trust to your site's CSP. If you don't trust the source, consider hosting resources on your own site instead.

2 directives
Resource	Status	Directive	Source Location
https://m.stripe.network/	blocked	frame-src	m-outer-f045e3.....js:1
https://pay.google.com/gp/p/js/pay.js	blocked	script-src-elem
Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support Stuart Duff – a11n

    (@stuartduff)

    Automattic Happiness Engineer

    Hi @ceyhunyildiz,

    I’m not seeing any similar messages in Google Chrome when viewing my test installation which uses Stripe and has the Payment Request buttons like GooglePay and ApplePay enabled. Only GooglePay would display in the Chrome web browser. ApplePay only displays if you’re using an iOS or macOS device and its Safari web browser.

    The script which is being blocked from loading on your site is actually not ApplePay but GooglePay and is this script below identified within the error message you posted.

    https://pay.google.com/gp/p/js/pay.js

    Could you provide us with a link to the product you’re viewing in Chrome from your site?

    Thanks

    Thread Starter ceyhunyildiz

    (@ceyhunyildiz)

    Hello

    Yes i meant Google pay, please view a few products here on google chrome

    • This reply was modified 3 years, 2 months ago by ceyhunyildiz.
    Plugin Support Stuart Duff – a11n

    (@stuartduff)

    Automattic Happiness Engineer

    Hey @ceyhunyildiz,

    Visiting the product you’ve referenced when using Google Chrome I’m not seeing any similar error messages displaying on the page where the GooglePay button is displaying. Below is an animated screenshot of inspecting the site with Chrome’s Developer Tools using the Console feature.

    Image Link: https://cloudup.com/cYwgi23ONRC

    I can also click the GooglePay button and see the GooglePay popup displaying where I can then pay for the product using GooglePay.

    Image Link: https://cloudup.com/cc8LNyjv1D6

    Would you be able to provide us with the steps required to see this particular error message on your site just in case I’m missing something with my testing, please?

    Thanks

    Thread Starter ceyhunyildiz

    (@ceyhunyildiz)

    I am sorry because I can’t reproduce the error now either. It might have been Google’s script resource broken temporarily or something that is not related to us or the plugin. Thank you very much for your reply.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Content Security Policy of your site blocks some resources’ is closed to new replies.