Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Paypal v5 sdk checkout button still have problems with -unsafe-inline- unsafe-eval script [csp]
See original GitHub issueDescription
EDIT
I found data-csp-nonce is now available to add: https://developer.paypal.com/docs/checkout/reference/customize-sdk/#csp-nonce But this does not solve unsafe-eval errors.
Im using the latest paypal sdk v5, i got told csp inline-script problems should be resolved, but i still got errors refused to evaluate and execute inline script:
[Report Only] Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'nonce-xxx' *.google.com *.paypal.com *.paypalobjects.com *.braintreegateway.com https://www.gstatic.com".
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'nonce-xxx' *.google.com *.paypal.com *.paypalobjects.com *.braintreegateway.com https://www.gstatic.com".
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-xxx' *.paypal.com *.paypalobjects.com *.google.com *.braintreegateway.com https://www.gstatic.com". Either the 'unsafe-inline' keyword, a hash ('sha256-xxx'), or a nonce ('nonce-...') is required to enable inline execution.
[Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-xxx' *.google.com *.paypal.com *.paypalobjects.com *.braintreegateway.com https://www.gstatic.com". Either the 'unsafe-inline' keyword, a hash ('sha256-xxx'), or a nonce ('nonce-...') is required to enable inline execution.
Now even a new ressource popped up to bloat my site “tracking.ga.paypal.com”. I added all needed resources to my csp and nonces to my script. The button is working tough csp problems.
Code:
braintree.client.create({
authorization: 'xxx'
}).then(function (clientInstance) {
return braintree.paypalCheckout.create({
client: clientInstance
});
}).then(function (paypalCheckoutInstance) {
return paypal.Buttons({
style: {
layout: 'horizontal',
color: 'blue',
shape: 'rect',
tagline: 'true'
},
createBillingAgreement: function () {
return paypalCheckoutInstance.createPayment({
flow: 'vault'
});
},
onApprove: function (data, actions) {
return paypalCheckoutInstance.tokenizePayment(data).then(function (payload) {
document.getElementById("paynonce").value = payload.nonce;
document.getElementById("paymentform").submit();
});
},
onCancel: function () {
},
onError: function (err) {
}
}).render('#paypal-button');
}).catch(function (err) {
console.error('Error!', err);
});
Affected browsers
- [ Version 78.0.3904.87 (Offizieller Build) (64-Bit)] Chrome
Issue Analytics
- State:
- Created 4 years ago
- Reactions:2
- Comments:29 (3 by maintainers)
Top Results From Across the Web
Developers - Paypal v5 sdk checkout button still have problems with ...
Paypal v5 sdk checkout button still have problems with -unsafe-inline- unsafe-eval script [csp]
Read more >Issue paypal checkout csp - Stack Overflow
i have an issue with a paypal button, in the console show Refused to evaluate a string as JavaScript because 'unsafe-eval' is not...
Read more >Checkout page js error Refuse to load the script Content ...
I have a Shopify plus account. I had added some js script on the checkout page. But I am getting errors in the...
Read more >paypal CSP guidelines incorrect/lacking
I find the same problem, it looks like the sdk do not, or fail, to apply the nonce to the <style> tag created...
Read more >PayPal Smart Payment Buttons And SSL issue - nopCommerce
Have you modified your web dot config file with this whitelisted content-security-policy? [url]Content Security Policy : "img-src 'self' https://*.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@BriceShatzer The issue is not about exploiting Paypal SDK, it’s about making our services vulnerable to XSS attacks by disabling CSP because Paypal SDK doesn’t work with CSP due to this bug and therefore putting our business, customers and our-self at risk.
I cannot believe that the issue needs to be clarified after nearly 1.5 years.
Hi Everyone, this is indeed a bug with the PayPal JS SDK. I apologize for the delay. We want merchants to be able to trust our SDK and this bug is preventing that. We are discussing internally to get this prioritized and fixed asap. I’ll post an update on this thread on Monday 4/19.