Content Security Policy settings

I learned recently that the API we had been using (back from 2020) has been retired and am struggling to figure out how to migrate from what worked perfectly then to now. One of the (many) challenges is settings for Content Security Policy headers in Apache config. I’ve dug around here and added what I was able to find (at Whitelisted Square Domains for Content Security Policy & Web Payments SDK and through a different search in the Developer site), but keep getting errors in the Console log, e.g.:

Content-Security-Policy: The page’s settings blocked the loading of a resource at[redacted]&hostname=[redacted] (“frame-src”). process_payment.php

Yet I have:

Which, I believe, should allow that connection…

I’d greatly appreciate any suggestions for how to fix this problem. Naturally, I am under a tight deadline and this is for an extremely important project.

I just sent you the migration guide to assist migrating from SqPaymentForm to Web Payments SDK. :slightly_smiling_face:

Thank you, Bryan. I’ve made some headway by churning through CSP error messages logged to the console and am (I hope) making progress, but it’s still quite hit-or-miss.

Is there any section in the developer portal where I could find PHP-oriented documentation?

Thanks again for your help.

We have an PHP example that uses he Web Payments SDK. That may help you get through the errors. :slightly_smiling_face:

Thanks, Bryan. This has been helpful.

Unfortunately, negative.
Content Security Policy does not allow using wildcard * in the path-part. Only instead of the host name http://* for network schemes, subdomain designations * and port number*

So frame-src or frame-src will allow embeddind.

Sorry for the late reply