updated CSP configuration #912
Comments
|
Hey @DoroGi , thanks for reporting this to us. We'll add a card in our backlog to get our Drop-In reference documentation up to date ASAP. We'll also reach out to CardinalCommerce about that AWS URL you saw to verify if we should also update our 3DSecure-specific directives. For internal tracking -> 28714 |
|
Thank you very much! |
|
Hi, thank you for the update on google pay! Also, I just noticed that there are a number of calls directed to "spay.samsung.com". |
|
+1. not only the amazonaws url is extra, there is missing configuration from the documentation for form-action, for example. Paypal also needs the *.paypalobjects.com in img-src. Seeing that my other issue (#939) is ignored as well, I don't see a fast resolution here. |
General information
Issue description
I find the CSP documentation to be incomplete.
I implemented the CSP as shown here: https://braintree.github.io/braintree-web-drop-in/docs/current/index.html#content-security-policy, but I started receiving reports of a few urls (i.e. www.paypalobjects.com and https://google.com/pay) not being allowed.
Then I found that braintree-web has a different suggested configuration here: https://braintree.github.io/braintree-web/current/,
that seems to be more updated that the drop-in one.
Using those configurations for Google Pay, and Paypal I fixed the issue. Should the drop-in doc be updated? Or maybe merged to the braintree-web one?
Also, I still receive some csp reports regarding a specific aws URL ([omitted].us-east-1.amazonaws.com/prod/log) being called by a cardinalcommerce script. It this intended? Do I have to add a CSP conf for it?
The text was updated successfully, but these errors were encountered: