I learned recently that the API we had been using (back from 2020) has been retired and am struggling to figure out how to migrate from what worked perfectly then to now. One of the (many) challenges is settings for Content Security Policy headers in Apache config. I’ve dug around here and added what I was able to find (at Whitelisted Square Domains for Content Security Policy & Web Payments SDK and through a different search in the Developer site), but keep getting errors in the Console log, e.g.:
Content-Security-Policy: The page’s settings blocked the loading of a resource at https://sandbox.web.squarecdn.com/1.50.1/main-iframe.html?applicationId=[redacted]&hostname=[redacted] (“frame-src”). process_payment.php
Yet I have: frame-src https://sandbox.web.squarecdn.com/*
Which, I believe, should allow that connection…
I’d greatly appreciate any suggestions for how to fix this problem. Naturally, I am under a tight deadline and this is for an extremely important project.
Thank you, Bryan. I’ve made some headway by churning through CSP error messages logged to the console and am (I hope) making progress, but it’s still quite hit-or-miss.
Is there any section in the developer portal where I could find PHP-oriented documentation?
Unfortunately, negative.
Content Security Policy does not allow using wildcard * in the path-part. Only instead of the host name http://* for network schemes, subdomain designations *.site.com and port number https://site.com:*
So frame-src https://sandbox.web.squarecdn.com or frame-src https://sandbox.web.squarecdn.com/ will allow embeddind.
