redux-devtools: Spurious error in firefox when used with stripe.js

I’m seeing the following error in firefox in the console when I have redux devtools enabled on a page that’s including https://js.stripe.com/v3/, which comes with a fairly comprehensive Content Security Policy.

Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://js.stripe.com”). Source: !function(t){function __webpack_require_....

Everything seems to still be working, but it took me a while to track down what the actual interaction was. At least a clearer error when a resource’s CSP is incompatible with redux devtools would be really helpful.

About this issue

  • Original URL
  • State: open
  • Created 7 years ago
  • Reactions: 13
  • Comments: 27

Most upvoted comments

+1, Also have this with the LastPass extension

Is there any sort of resolution here?

Just going to chime in here: I believe that this issue is because the iframe that Stripe.js uses for communications has a CSP that forbids self and unsafe-inline. Using redux-devtools in Chrome I don’t get any errors, so it seems the Firefox extension is doing something different here; injecting a script maybe?

Just as an update from the Firefox side: The patch has a lot of traction lately and is being actively worked on, but I can’t make any promises on a Firefox version yet as its a complicated problem space.

Fighting CSP has been the bane of my career and this issue has defeated me. Seppuku time lol

Bump

Looks like this is a long standing bug with Firefox being too strict with CSP and applying the rules as well on scripts injected by extensions & bookmarklets.

Oh, I forgot to add! You can easily test this by visiting this page in Firefox with the extension enabled:

https://stripe.com/docs/elements/