Question posted in 
I am trying to integrate Stripe to my website, the problem is that I receive the following error:
js.stripe.com/v3/hcaptcha-invisible-078b5f9fb44d244a9ec072f93a216630.html#debugMode=false&parentOrigin=http%3A%2F%2Flocalhost:3 [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src ‘self’". Either the ‘unsafe-inline’ keyword, a hash (‘sha256-CBu0w5uiOaPgb2R6Zgf7E0+STJHF4lcPIdhZzQXE6yk=’), or a nonce (‘nonce-…’) is required to enable inline execution.
I tried to solve it using the Stripe directives in this way:
<meta http-equiv="Content-Security-Policy" content="script-src 'self' js.stripe.com code.jquery.com cdn.jsdelivr.net maps.googleapis.com 'unsafe-inline';">
But because the location of the file that is given the error is on the Stripe server, I think that those rules of the are not applied to that file.
I have made other integrations of give the same approach error to make sure, and I have solved it by putting the directives in the and it works, but I have not been able to solve the error described above.
If you want to see the same error, you just have to go to this Stripe link and inspect the browser in the console.
2
Answers
Somewhere the "Content-Security-Policy-Report-Only" response header is being set. As it is "Report-Only" (you can see this in the error message) nothing is actually blocked due to this policy, this is why it still works. But adding another policy in a meta tag doesn’t change anything because content needs to pass all CSPs present. You will need to identify how/where the report only policy is being set and modify it before enforcing it by changing it to just "Content-Security-Policy". You could add ‘unsafe-inline’, but it is of course unsafe. You could add the suggested hash value ‘sha256-CBu…’, which will work if it is outputting static code and as long as the code doesn’t change.
I was facing the same issue and very concerned. However, the Report Only is designed for testing policies and is supposed to simulate a policy, so I don’t believe it’s actually having any affect on the inline script itself.