5

Im using the braintree javascript v3 sdk and using a paypal checkout button for my shop.
Code example:

braintree.client.create({
      authorization: 'sandbox_xxxx'
    }, function(err, clientInstance) {
      if (err) {
        console.log(err);
        return;
      }
braintree.paypalCheckout.create({
            client: clientInstance
          }, function (paypalCheckoutErr, paypalCheckoutInstance) {

            if (paypalCheckoutErr) {
              console.error('Error creating PayPal Checkout:', paypalCheckoutErr);
              return;
            }

            paypal.Button.render({
              env: 'sandbox',
              commit: true,
              buttonStyle: {
                  color: 'blue',
                  shape: 'rect',
                  size: 'medium'
                },      
              payment: function () {
                return paypalCheckoutInstance.createPayment({
                    flow: 'checkout', 
                    amount: '10.00', 
                    currency: 'EUR'
                });
              },

              onAuthorize: function (data, actions) {
                return paypalCheckoutInstance.tokenizePayment(data, function (err, payload) {
                    document.getElementById("paynonce").value = payload.nonce;
                    document.getElementById("paymentform").submit();
                });
              },

              onCancel: function (data) {
                console.log('checkout.js payment cancelled', JSON.stringify(data, 0, 2));
              },

              onError: function (err) {
                console.error('checkout.js error', err);
              }
            }, '#paypal-button').then(function () {

            });

          });
    });

To secure my application im using my Content security police:

    add_header Content-Security-Policy "default-src 'none'; 
    img-src 'self' *.paypal.com data:;
    manifest-src 'self'; 
    style-src 'self' 'unsafe-inline' *.braintreegateway.com *.braintree-api.com https://www.gstatic.com https://fonts.googleapis.com; 
    script-src 'self' 'nonce-xxxx' *.paypal.com *.paypalobjects.com *.braintreegateway.com https://www.gstatic.com; 
    font-src 'self' https://fonts.gstatic.com; 
    connect-src 'self' *.paypal.com *.paypalobjects.com *.braintreegateway.com *.braintree-api.com https://fonts.googleapis.com https://www.google-analytics.com https://www.gstatic.com https://fonts.gstatic.com; 
    object-src 'none'; 
    base-uri 'self'; 
    form-action 'self'; 
    frame-src *.paypal.com *.braintreegateway.com *.braintree-api.com; 
    frame-ancestors 'none';";

The button is working fine but the problem is i still recieve reports and errors because the paypal executes inline Javascript:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-xxxx' *.paypal.com *.paypalobjects.com *.braintreegateway.com https://www.gstatic.com". Either the 'unsafe-inline' keyword, a hash ('sha256-xxx='), or a nonce ('nonce-...') is required to enable inline execution.

[Report Only] Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'nonce-xxxx' *.paypal.com *.paypalobjects.com *.braintreegateway.com https://www.gstatic.com".

As you can see i whitelisted all important urls. I do also add a nonce to run the scripts:

<script nonce="xxxx" src="https://www.paypalobjects.com/api/checkout.js" data-version-4 log-level="warn"></script>
<script nonce="xxxx" src="https://js.braintreegateway.com/web/3.55.0/js/paypal-checkout.min.js"></script>

Not sure it has to do with:
For cross site cookies i use session.cookie_samesite = Strict
Get this warnings:

A cookie associated with a cross-site resource at http://developer.paypal.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
A cookie associated with a cross-site resource at http://www.paypal.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

For a total of 9 paypal subdomains.

EDIT: I checked my html and found there are multiple inline scripts rendered to the paypalbutton html check my attachment.

How i can solve this problem ?

enter image description here

delato468
  • 474
  • 4
  • 18

1 Answers1

4

For the cookie warnings, these are associated with PayPal's domains and it is their responsibility to update them. In current stable Chrome, these warnings are purely informational and are not affecting behaviour. However, if you're using Canary, Dev, or Beta versions you may experience those cookies being blocked.

More context is available at:

It sounds as if those PayPal scripts are trying to inject additional scripts in the page. You may want to consider 'strict-dynamic' to allow the trust to propagate to additional resources:

script-src 'nonce-xxxx' 'strict-dynamic';

This will cause the whitelist or source expressions such as 'self' or 'unsafe-inline', but you can also include them for browsers that do not support strict-dynamic.

Your errors are specifically about 'unsafe-inline' and 'unsafe-eval', so for older browsers you may need to consider those as well. However, I'd test with the strict-dynamic first to see if that meets your needs.

script-src 'nonce-xxxx' 'strict-dynamic' 'unsafe-inline' 'unsafe-eval' 'self' *.paypal.com *.paypalobjects.com *.braintreegateway.com https://www.gstatic.com;

I would also validate that you definitely do not have any inline scripts in the page that you have missed (either from your own code or other third-party services that are not PayPal), in case these are the source of the errors.

rowan_m
  • 2,893
  • 15
  • 18