2

I'm working on a Ruby on Rails app where I'm planning to integrate Stripe payments. I'm using the stripe gem. I'm planning to use Elements, as described here.

I'm including Stripe js like this:

= javascript_include_tag 'https://js.stripe.com/v3/'

In my charges.coffee file I have this:

$(document).on 'turbolinks:load', ->
  stripe = Stripe("<%= Rails.application.secrets['STRIPE_PUBLISHABLE_KEY'] %>")
  elements = stripe.elements()

When I load the app I currently get the following error in Safari:

Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.

Any ideas on what I can do to solve this issue?

Anders
  • 2,903
  • 7
  • 58
  • 114
  • we should solve this issue by reading together this posts https://stackoverflow.com/questions/8502307/chrome-18-how-to-allow-inline-scripting-with-a-content-security-policy#11672134 and https://stackoverflow.com/questions/35489518/stripe-checkout-css-content-policy-error – Fabrizio Bertoglio Nov 14 '17 at 09:00

1 Answers1

0

I solved this today by upgrading secure_headers gem from v3 to the latest v5 and my illogical CSP errors went away.

Evolve
  • 8,939
  • 12
  • 51
  • 63