Apple-Pay and Google-Pay CSP & Manifest Download errors #10751
Comments
|
Hi @Everade ! 👋 I reached out to Stripe directly about this. They replied:
For internal reference: p1744788912173279-slack-C9976E5MJ |
|
Just to note, that this is related to the Apple Pay on the non-Safari browser - a totally new feature from Apple and Stripe, which is still in experimental stage. |
If Apple Pay and/or Google Pay are currently in an experimental or beta stage, wouldn't it be appropriate to inform users of that status? As it stands, neither the documentation nor the toggle to enable these features indicates that they are incomplete or under development. Additionally, please note that there are logged CSP style errors as well as manifest download errors with Google Pay as well, not just Apple Pay. |
Describe the bug
When loading a page with Apple-Pay and Google-Pay buttons, there are seamingly Content Security Policy errors due to Apple-Pay and Google-Pay enforcing false hashes. As well as Manifest download errors.
To Reproduce
Enable Apple-Pay and Google-Pay as payment options.
Visit the checkout page and take a look at your console logs.
Actual behavior
Constantly having over 300 Content Security Policy errors on a single page load isn't good. As the 3rd party websites apply sha256 hashes, we can't use "unsafe-inline" either to workaround these errors. And setting up the content policy for these specific hashes isn't a good solution either, as we never know when they will change.
Example of some of the Content Security Police Errors:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'sha256-zhyeDlZTEKZvKgtxHpxj4ydFABucKb8zpjZLFzOborc=' 'sha256-leLzbVxZAzOi3vU/QL+Ol4qnwxlwA0nSPFZDP71A4Kk=' 'sha256-mQ4LZTkAl1QYJkeyaT4nVx0YDeQ9WOH9k4ajt5PFvNU=' 'sha256-B3yoUHRULn1isE4VCTQnLT04X7QKzhw+FhvpPPZfR/w='". Either the 'unsafe-inline' keyword, a hash ('sha256-leLzbVxZAzOi3vU/QL+Ol4qnwxlwA0nSPFZDP71A4Kk='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.Manifest Errors:
Unable to download payment manifest "https://www.google.com/pay". Unable to download payment manifest "https://www.google.com/pay". Unable to download payment manifest "https://pay.google.com/gp/p/payment_method_manifest.json". Unable to download payment manifest "https://pay.google.com/gp/p/web_manifest.json".Screenshots
Expected behavior
Desktop:
Additional context
I've been trying to get these sorted out, but never managed to do so. Unfortunately i'm not experienced enough to know if these issues are caused by my Setup or WooPay. But it appears to me as if at least the Content Security Policy errors shouldn't be caused in the first place. For now i will try to add these hashes to my CSP and hope they don't change anytime soon.
The text was updated successfully, but these errors were encountered: