Content Security Policy - Directives to enable PayPal checkout
For what seems an absolute age I've been trying to get my checkout working to enable my customers to have a stress-free payment.
Everything is fine until the last hurdle, the dreaded checkout/payment page, it loads, the customer fills in his/her details, then they get: 'sorry, things aren't working at the moment, please try later'. The never used to happen, I've been with PayPal for well over a decade, it used to be reliable.
I have been compiling a content security policy, it's an .htaccess header that lives in the root directory of my Apache server.
I tried (unsuccessfully) to use the meta tag version in the 197 pages <head> section, but it was a mega fail.
The whole reason for the Policy is to prevent fraud which I understand, so to my mind, there should be a special page dedicated to giving the directives: script-src style-src 'self' 'nonce' etc to enable PayPal to serve it's purpose, but, having spent entire days & evenings searching the internet and guessing, trying to find the correct ones, I have drawn a blank.
I now have so many urls in my CSP .htaccess it looks ridiculous, but it still shows so many errors (currently there's 7 red blockages and 28 warnings).
I use Chrome Developer & Firefox tools, I check the Policy on every alteration with https://cspvalidator.org/ and https://csp-evaluator.withgoogle.com/
I avoid using 'unsafe-eval' and if I use script-src-elem my site closes down (but script-src-elem falls back to script-src anyway - apparently)
There are so may questions from merchants & developers about this topic, some go back 5 years or more and they *still* don't have any answers.
I'll give you an example:
these are the main culprits, there are others, but these persist, even though they're in the font-src directive list, they're still blocked.
As far as I can find out, 'hermes' is a delivery company, I don't even need that anyway as mine is all digital download.
All my other scripts, images, buttons, css work as they should, I've carefully picked up on each one and whitelisted it.
Ms Clarity, PiwikPro, Fetchapp, Translate etc ALL give you the correct directives and where they should be placed - easy peasy, but not our multi-million PayPal company, they like to see us sweat.
If I go to the Help pages there's plenty of cries for help, but no answers. The best I have seen is a load of us stabbing away in the dark in StackOverflow and the likes, all comparing notes and trying each other's results. PayPal's techie team (after a week's wait) just send you to pages that I've already seen, that's not the way it's supposed to be - is it?
There doesn't seem to be a CSP specialist who can give results, I''ve watched loads of YouTube videos, I have paid 2 'developers' so far that gave me their word they could solve this, but both gave up saying that it must be PayPal and therefore out of their hands.
Sorry to rant on, but this is now starting to affect my health and my moods, but I refuse to give up, but now I'm in a cul-de-sac and I'm asking for help.
Thank you for reading. SS
PayPal HTML Buttons
Good day @OldLeakeyDJ,
Thank you for posting to the PayPal community.
I would suggest to process a test payment via card which is not linked to your PayPal account. Since, merchant can't process self payments.
If your still facing any issues, please create a MTS ticket via - https://www.paypal-support.com/s/?language=en_US with the detail information and error details.
If this post or any other was helpful, please enrich the community by giving kudos or accepting it as a solution.
Thank you for your reply sir, I'm grateful for any help I can get to solve this situation.
One of your suggestions to go to Wallet doesn't exist anymore, but I got confirmation on my bank and cards and my Busiiness account is AOK.
I have made a test transaction many times, yes, it works for me, but I guess my details are saved? But it's a great way of saving money!
I have even tried different programs to run my site ie: Wordpress, OpenCart etc., BUT they all use the same gateway and that's where my problem lies for my customers - the well know phrase - Things don't seem to be working . . . .
I take it that there's no PayPal page that lists the directives? I'm sure you'd have pointed it out straight away.
As I told you in my previous message, I've been sitting here for weeks trying to get zero CSP blockings, but it seems that I cure one and another one comes up, it tries the patience of Jobe.
Yes, I've opened tickets, waited days for a reply, only to get a reply linking to one of the many pages I've already been to, so I'm reluctant to do that anymore as nobody at PayPal seems to know the CSP directives to put on my server to make the PayPal gateway clear for a buyer?
Currently this one of the 4 blockages at Checkout:
Content Security Policy: The page's settings blocked the loading of a resource at eval ("script-src").
I don't have 'script-src-eval', the directive is a no no, so now I have today's problem solving project - and so it goes on . . .
Still here, still battling away with the CSP, it's been months.
I need to know if there's an experienced developer who knows all about the CSP?
If there is anyone who knows the secrets of the CSP gateway, please share!
I have been all through the PP Community, through the PayPal help, through my site set-up, StackOverflow, GitHub etc., Google has been my closest friend.
My site and the buttons all work, the problem lies within the checkout/login - I have so many warnings and blocked settings, mostly from Google with their dozens of different domains, paypal's urls which no longer work (404) fonts & css failures etc.
So if there's a developer lurking locally that could oversee my CSP I'd be overjoyed.
Thanks in anticipation.
Haven't Found your Answer?
It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.
- Paypal direct card payment while pressing checkout, white screen appears and keeps loading, in SDKs
- Stuck on loading screen when payment options should appear in NVP/SOAP APIs
- Why did it capture fail and order status is PAYER_ACTION_REQURIED? in REST APIs
- Angular 14 app and my "Request is not well-formed, syntactically incorrect, or violates schema." in Sandbox Environment