skip to Main Content

This is the actual error message when I tried to integrate the stripe with the front end.

Refused to frame ‘https://js.stripe.com/’ because it violates the following Content Security Policy directive: "default-src ‘self’". Note that ‘frame-src’ was not explicitly set, so ‘default-src’ is used as a fallback.

I added this meta tag on the head, but unfortunately, it’s not working

meta(http-equiv="Content-Security-Policy", content="script-src 'self' https://js.stripe.com; script-src-elem 'self' https://js.stripe.com")

2

Answers


  1. You set the CSP for script only. In order to use I-Frame, you need frame-src

    meta(http-equiv="Content-Security-Policy", content="script-src 'self' https://js.stripe.com; script-src-elem 'self' https://js.stripe.com; frame-src https://js.stripe.com")
    
    Login or Signup to reply.
  2. There is a (default) CSP on your site and you try to add another one in a meta tag. Now the content needs to pass both policies. You need to identify how the original CSP is set and change it to allow the necessary content. You can likely remove the policy in meta tag.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search