Open DoroGi opened 9 months ago
jplukarski
commented
9 months ago Hey @DoroGi , thanks for reporting this to us. We'll add a card in our backlog to get our Drop-In reference documentation up to date ASAP. We'll also reach out to CardinalCommerce about that AWS URL you saw to verify if we should also update our 3DSecure-specific directives.
For internal tracking -> 28714
DoroGi
commented
9 months ago Thank you very much!
DoroGi
commented
9 months ago Hi, thank you for the update on google pay! Do you have any news on the aws URL?
Also, I just noticed that there are a number of calls directed to "spay.samsung.com". Braintree documentation talks about samsung pay, but it does not seem to be mentioned on the web dropin documentation. How come that I see calls being performed to samsung pay? Is it a bug?
karolyi
commented
3 weeks ago +1.
not only the amazonaws url is extra, there is missing configuration from the documentation for form-action, for example.
Paypal also needs the *.paypalobjects.com in img-src.
Seeing that my other issue (#939) is ignored as well, I don't see a fast resolution here.
General information
Issue description
I find the CSP documentation to be incomplete.
I implemented the CSP as shown here: https://braintree.github.io/braintree-web-drop-in/docs/current/index.html#content-security-policy, but I started receiving reports of a few urls (i.e. www.paypalobjects.com and https://google.com/pay) not being allowed. Then I found that braintree-web has a different suggested configuration here: https://braintree.github.io/braintree-web/current/, that seems to be more updated that the drop-in one. Using those configurations for Google Pay, and Paypal I fixed the issue. Should the drop-in doc be updated? Or maybe merged to the braintree-web one?
Also, I still receive some csp reports regarding a specific aws URL ([omitted].us-east-1.amazonaws.com/prod/log) being called by a cardinalcommerce script. It this intended? Do I have to add a CSP conf for it?