[BUG] Content Security Policy issue #265
Assignees
Labels
triage
Pending triage
Comments
tatev-tahmazyan
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
When integrating ngx-stripe into an Angular application, CSP violations are triggered in Chrome, resulting in refusal to execute inline scripts due to missing hash or nonce values. These violations occur despite the CSP allowing necessary sources, making it difficult to run the application without disabling critical security features like unsafe-inline.
To Reproduce
Steps to reproduce the behavior:
1.Implement ngx-stripe(18.1.0) in an Angular application(18)
2. Load the page in Chrome
3. Inspect the browser’s console
4. Observe the CSP violation errors in the console related to unsafe-inline or missing hashes
Screenshots
Desktop
Additional context
I have tested the behavior across different browsers. The error is consistently present in Chrome, where CSP violations are preventing the execution of inline scripts. Other Browsers (Firefox, Edge): In these browsers, the issue doesn't cause any errors. While there are some warnings, they do not block the execution of scripts or affect functionality.
Also I want to mention that I have seen the same errors on the Ngx-Stripe web site(https://ngx-stripe.dev/docs/payment-element)
The text was updated successfully, but these errors were encountered: