redux-devtools: Spurious error in firefox when used with stripe.js
I’m seeing the following error in firefox in the console when I have redux devtools enabled on a page that’s including https://js.stripe.com/v3/, which comes with a fairly comprehensive Content Security Policy.
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://js.stripe.com”). Source: !function(t){function __webpack_require_....
Everything seems to still be working, but it took me a while to track down what the actual interaction was. At least a clearer error when a resource’s CSP is incompatible with redux devtools would be really helpful.
About this issue
- Original URL
- State: open
- Created 7 years ago
- Reactions: 13
- Comments: 27
+1, Also have this with the LastPass extension
Is there any sort of resolution here?
Just going to chime in here: I believe that this issue is because the iframe that Stripe.js uses for communications has a CSP that forbids
selfandunsafe-inline. Usingredux-devtoolsin Chrome I don’t get any errors, so it seems the Firefox extension is doing something different here; injecting a script maybe?Just as an update from the Firefox side: The patch has a lot of traction lately and is being actively worked on, but I can’t make any promises on a Firefox version yet as its a complicated problem space.
Fighting CSP has been the bane of my career and this issue has defeated me. Seppuku time lol
Bump
Looks like this is a long standing bug with Firefox being too strict with CSP and applying the rules as well on scripts injected by extensions & bookmarklets.
Oh, I forgot to add! You can easily test this by visiting this page in Firefox with the extension enabled:
https://stripe.com/docs/elements/