CSP问题执行内联脚本Paypal按钮

时间:2019-11-05 17:38:37

标签: paypal paypal-sandbox braintree content-security-policy braintree-sandbox

我正在使用braintree javascript v3 sdk,并在我的商店中使用贝宝结帐按钮。
代码示例:

braintree.client.create({
      authorization: 'sandbox_xxxx'
    }, function(err, clientInstance) {
      if (err) {
        console.log(err);
        return;
      }
braintree.paypalCheckout.create({
            client: clientInstance
          }, function (paypalCheckoutErr, paypalCheckoutInstance) {

            if (paypalCheckoutErr) {
              console.error('Error creating PayPal Checkout:', paypalCheckoutErr);
              return;
            }

            paypal.Button.render({
              env: 'sandbox',
              commit: true,
              buttonStyle: {
                  color: 'blue',
                  shape: 'rect',
                  size: 'medium'
                },      
              payment: function () {
                return paypalCheckoutInstance.createPayment({
                    flow: 'checkout', 
                    amount: '10.00', 
                    currency: 'EUR'
                });
              },

              onAuthorize: function (data, actions) {
                return paypalCheckoutInstance.tokenizePayment(data, function (err, payload) {
                    document.getElementById("paynonce").value = payload.nonce;
                    document.getElementById("paymentform").submit();
                });
              },

              onCancel: function (data) {
                console.log('checkout.js payment cancelled', JSON.stringify(data, 0, 2));
              },

              onError: function (err) {
                console.error('checkout.js error', err);
              }
            }, '#paypal-button').then(function () {

            });

          });
    });

要使用我的内容安全警察来保护我的应用程序,

    add_header Content-Security-Policy "default-src 'none'; 
    img-src 'self' *.paypal.com data:;
    manifest-src 'self'; 
    style-src 'self' 'unsafe-inline' *.braintreegateway.com *.braintree-api.com https://www.gstatic.com https://fonts.googleapis.com; 
    script-src 'self' 'nonce-xxxx' *.paypal.com *.paypalobjects.com *.braintreegateway.com https://www.gstatic.com; 
    font-src 'self' https://fonts.gstatic.com; 
    connect-src 'self' *.paypal.com *.paypalobjects.com *.braintreegateway.com *.braintree-api.com https://fonts.googleapis.com https://www.google-analytics.com https://www.gstatic.com https://fonts.gstatic.com; 
    object-src 'none'; 
    base-uri 'self'; 
    form-action 'self'; 
    frame-src *.paypal.com *.braintreegateway.com *.braintree-api.com; 
    frame-ancestors 'none';";

该按钮运行正常,但问题是我仍然收到报告和错误,因为Paypal执行内联Javascript:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-xxxx' *.paypal.com *.paypalobjects.com *.braintreegateway.com https://www.gstatic.com". Either the 'unsafe-inline' keyword, a hash ('sha256-xxx='), or a nonce ('nonce-...') is required to enable inline execution.

[Report Only] Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'nonce-xxxx' *.paypal.com *.paypalobjects.com *.braintreegateway.com https://www.gstatic.com".

您可以看到我将所有重要的网址列入了白名单。我也添加了一个随机数来运行脚本:

<script nonce="xxxx" src="https://www.paypalobjects.com/api/checkout.js" data-version-4 log-level="warn"></script>
<script nonce="xxxx" src="https://js.braintreegateway.com/web/3.55.0/js/paypal-checkout.min.js"></script>

不确定是否与以下内容有关:
对于跨站点Cookie,我使用session.cookie_samesite = Strict
得到此警告:

A cookie associated with a cross-site resource at http://developer.paypal.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
A cookie associated with a cross-site resource at http://www.paypal.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

总共9个paypal子域。

编辑: 我检查了我的html,发现有多个内联脚本呈现给paypalbutton html,检查我的附件。

我该如何解决这个问题?

enter image description here

1 个答案:

答案 0 :(得分:0)

对于Cookie警告,这些警告与PayPal的域相关,因此有责任对其进行更新。在当前稳定的Chrome浏览器中,这些警告仅供参考,不会影响其行为。但是,如果您使用Canary,Dev或Beta版本,则可能会遇到这些Cookie被阻止的情况。

更多上下文可从以下网址获得:

听起来好像那些PayPal脚本正试图在页面中注入其他脚本。您可能需要考虑使用'strict-dynamic'来允许信任传播到其他资源:

script-src 'nonce-xxxx' 'strict-dynamic';

这将导致白名单或源表达式,例如'self''unsafe-inline',但是对于不支持strict-dynamic的浏览器,您也可以包含它们。

您的错误专门涉及'unsafe-inline''unsafe-eval',因此对于较旧的浏览器,您可能还需要考虑这些错误。但是,我会先用strict-dynamic测试一下,看看是否满足您的需求。

script-src 'nonce-xxxx' 'strict-dynamic' 'unsafe-inline' 'unsafe-eval' 'self' *.paypal.com *.paypalobjects.com *.braintreegateway.com https://www.gstatic.com;

如果这些是错误的根源,我还将验证您在页面中绝对没有缺少任何内联脚本(无论是您自己的代码还是其他非PayPal的第三方服务)

相关问题
最新问题