2

I'm trying to setup a paypal transparent checkout but got stuck on the CSP brower error, i did all the tests in sandbox mode and it worked like a charm, but when i turned it to live env, i started receiving CSP errors, i tried all kinds of values on <meta http-equiv="Content-Security-Policy" content="XXXXXXXXXX"> and it still didn't work, how can i solve it?

full browser console error:

payment-selection:1 Refused to set the document's base URI to 'https://www.paypalobjects.com/web/res/c30/165e8147117bd1483979affdece85' because it violates the following Content Security Policy directive: "base-uri 'self' https://*.paypal.com".

Thiago Dias
  • 315
  • 1
  • 5
  • 17
  • Just add blocked source into `base-uri` directive: `"base-uri 'self' https://*.paypal.com https://www.paypalobjects.com"`. The `https://www.paypalobjects.com` domain is under PayPal control, since `Nslookup paypalobjects.com` resolve into IP 64.4.250.19, 64.4.250.20, 64.4.250.14 and all `64.4.240.0 - 64.4.251.255` range belongs to PayPal. Therefore it's not a malware is blocked by CSP, but some PayPal stuff. – granty Apr 10 '21 at 16:26
  • thanks, but it didn't work, it returned the same error, i tried like this: – Thiago Dias Apr 10 '21 at 19:28
  • i'm on localhost, does it matter? – Thiago Dias Apr 10 '21 at 19:35
  • Looks like by `` you published a second CSP. You have to edit the first one, may be it's published via HTTP header. – granty Apr 10 '21 at 21:12
  • i'm sorry but i didn't understand, how you mean second CSP and edit the first one? this is the only one i'm using – Thiago Dias Apr 10 '21 at 21:40
  • 1
    If you have only one CSP then error should be `... because it violates the following Content Security Policy directive: "base-uri 'self' https://*.paypal.com https://paypalobjects.com"' (https://paypalobjects.com should appear) . But you say you have the same error as before. This means that is applied the same CSP as before, but not from meta tag you show. – granty Apr 10 '21 at 21:53
  • 1
    i'm confused haha, i used the one you commented above (only one), this: the error is: Refused to set the document's base URI to 'https://www.paypalobjects.com/web/res/c30/165e8147117bd1483979affdece85' because it violates the following Content Security Policy directive: "base-uri 'self' https://*.paypal.com". – Thiago Dias Apr 10 '21 at 21:58
  • 1
    the print screen of the current html code and the error shown on the console: https://postimg.cc/gallery/hhdgr5r – Thiago Dias Apr 10 '21 at 22:00
  • 1
    Ok, before you added the ``, you have CSP been published somewhere - exactly this CSP blocked `base-uri` access with the message in the startpost. Need to change the base-uri directive in this original CSP, instead of add meta tag. – granty Apr 11 '21 at 13:00
  • 1
    i think i understand now, but i don't have any CSP prior to this one, i also tried to define this exactly CSP header on apache htaccess and it also didn't work – Thiago Dias Apr 11 '21 at 13:20
  • 1
    If you didn't have any CSP, who blocked `https://www.paypalobjects.com/` in the startpost? Could you please check do you have any CSP in the HTTP header, tutorial is [here](https://stackoverflow.com/questions/64060894/trouble-with-content-security-policy/64068629#64068629). It does not matter how to publish CSP: via meta tag or via htaccess file. Note: if CSP does not have `base-uri` directive, the lock as in startpost will never occurs. – granty Apr 11 '21 at 15:37
  • Is this your CSP fault or not? The browser console is one and all errors fall into one heap. For example, if you are using Paypal ` – granty Apr 11 '21 at 17:03
  • well, i honestly have no idea, because i forced my CSP headers also on my backend (PHP, and/or Apache) and also tested only with meta-tags, i seen that alot of people are suffering from this issue on paypal forums, but i thought it was my application's problem – Thiago Dias Apr 11 '21 at 18:03
  • You can temporary remove your own CSP and check if it's a Paypal's ` – granty Apr 11 '21 at 19:22
  • that's the problem, i'm using the checkout only with js, but it seems that the form "injected" by Paypal javascript uses iframe underneath – Thiago Dias Apr 11 '21 at 19:39
  • Yes, Paypal payment it's always iframe. I should have guessed right away that base-uri + Paypal domain - haven't be relevant to your page. It's a Paypal's CSP internal trouble. I hope this error does not block payment on the site, because only Paypal can fix it. – granty Apr 11 '21 at 20:34
  • 1
    I have a same issue with paypal+. Since morning, reading different forums and many people are suffering from this but there is no solution ^^ – Mehrnoosh May 28 '21 at 18:21

0 Answers0