Anyone here had experience with PayPal Content Security Policy?
I tried to make a dummy purchase using Chrome Developer tools and this message is written in the bottom box: Content Security Policy blocks inline execution of scripts and stylesheets
(See attachment)
There must be a line of code to go in the <head> lurking somewhere, PayPal doesn't want to make it simple.
So, does anyone have any knowledge of this CSP? It's certainly preventing any PayPal sales that's for sure.

CSP1.png

Recommended Answers

All 11 Replies

Hello!

What does your Content Security Policy currently look like, and what type of PayPal integration do you have set up? Your CSP might be blocking PayPal's scripts from running or forms from executing.

Here at DaniWeb, we have some pages such as our DaniWeb Premium donation page where we have a PayPal form submission. Therefore, our content-security-policy has to look like this:

frame-ancestors 'none'; form-action 'self' https://www.paypal.com

In other words, we want DaniWeb pages to only be able to submit forms to daniweb.com domains or to PayPal.

Your CSP gets set up with an HTTP header. With PHP, I can do it as so:

header("content-security-policy: form-action 'self' https://www.paypal.com");
commented: Very helpful, the first person to come up with some kind of explanation and a solution, a big thank you! +0

As I came across your recent rant about CSP, is it still giving you trouble? Can I provide more assistance?

commented: I've seen my punters (via Ms Clarity) press on the Buy Now buttons and they just don't respond, there's no pointer/hand. +0

Following on from my comment, PayPal don't seem to mind their merchants having techie problems, their Community has a lot of questions regarding this topic, I'm not the only one.
I paid a Developer to solve it, he spent a lot of hours on my site's Apache server as he was convinced that's where the trouble lay, but I'm afraid it was still the same, I think he had to give up.
I have no idea what a CSP looks like or where it lives, apparently it runs with something called a 'nonce' - a renewable code that runs only once.
I seem to be on a mission with this problem, so yes, I'd appreciate your input totally. Steve

Did adding the PHP code:

header("content-security-policy: form-action 'self' https://www.paypal.com");

to your PHP page that contains the PayPal button not fix your problem?

CSP is simply an HTTP header that gets spit out from your PHP code (or whatever other programming language you happen to be using). It doesn't really "live" anywhere, as it's not something that is installed on your server or anything like that.

If the above PHP code didn't work, please link me to the webpage that includes the PayPal button.

commented: Only just seen this Dani, I will try it tomorrow (later!) as it's nearly 3am. My sincere thanks to you +0

I put the code you suggested in the <head> section:
(see code block)

Uploaded it, then I went to chrome developer tools, loaded my page and it came up with the red warning.
So I commented out the google tag .js & the cookie bar, re-submitted and there was no warning and the PayPal purchase was enabled, no warnings whatsoever .
Previous to your helpful code Dani, I have tried the above trick of commenting out to no avail, but with your code it seems to work.
I'm just gonna have a play around and see just who is the offender, Google or Cookie?

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta name="MSSmartTagsPreventParsing" content="TRUE">
    <?phpheader("content-security-policy: form-action 'self' https://www.paypal.com");?>
    <meta name="robots" content="index,follow">

I'll update . . . Steve

Looks like it's found something else now that violates their precious CSP.
(See attatched) Steve

Google-Cookie1.png

What I'll do is copy the page because it's a site with an Adult theme.
Then I'll send you the html.
By the way, I can make successful payments, but anyone else, no.
Maybe that gives you a clue?
Since you messaged that code and it decided not too work after all, I did some more researching, looking at the various ways in which website owners & developers have cured this, but most of it went straight over my head, so I decided not to play with fire.
I once again thank you for your help Dani, I really do appreciate it, Steve

Sending me the HTML alone won't be of assistance. What I need to see are the HTTP headers of the page that is loading the Paypal script in addition to the HTML that loads the Paypal script.

If you are using Chrome, for example you can right click and choose Inspect to bring up Chrome Developer Tools. Then, load the page in question. Click the Network tab of the Developer Tools window, and in the sidebar where it says Name, choose the filename for the HTML page. It should look something like this. Be sure to show all of the Response Headers.

Attached is a screenshot I just took of DaniWeb's homepage. You can see that it shows the content-security-policy that I showed you in a previous post that I am using.

Also, I appreciate you not linking to adult material from DaniWeb, as we are a student-friendly community for everyone 13+.

We'll get this figured out for ya.

commented: Besides I'm conversing with a woman and I consider myself a gentleman. I wonder if I could send the html by PM, then you can decide if it's fit. +0

Thank you Dani, I wanted to 'Save as Web Page' so you had the browser complete with the scroll bar, but I can't attach the actual folder with all the files in your mail.
There's a lot of files: General, Request & Response headers, some which are out of sight, so the scroll bar would be essential for the information you'd be needing, if I'm right?
Your .php script you kindly sent has taken out the 'Add to Cart' & the 'Review Cart' buttons, the 'Buy Now' is hosted on the Apache server
I'll attach a screen shot. Steve

response_headers.png

Hi Dani, I've been reserching and trying time after time with different variations of <meta> tags, but there's one I found on a CSP tips n' tricks site, I tried it and it seems to be better than anything else so far.
I've attached it as it wouldn't post here.
I appreciate your help, thank you, Steve

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.