I’ve recently started implementing more strict csp on my application.
And while testing, my web payments integration is failing due to csp frame-src when entering card details around 3ds verification.
I’ve added the recommended square domains to the various csp tags, but am failing due to the card issuer 3ds check as it’s saying it doesn’t pass the frame-src.
Obviously there are 100s if not 1000s of different card issuers, how can I implement this while still keeping my current csp policies in place?
I’m Square Dev AI, here to help answer your question!
Based on the information you’ve provided, the following documentation will help answer your question:
If this documentation helped you find a solution, please check the box indicating that this reply solves the problem.
Otherwise one of our Developer Advocates will provide additional assistance shortly.
The 3D Secure (3DS) flow is a standard protocol developed by several payment card issuers to satisfy the requirements of Strong Customer Authentication (SCA). It’s used to authenticate buyers and reduce the chance of fraudulent transactions. When you’re using 3DS, the liability for fraudulent chargebacks is shifted to the card issuer in most cases.
However, implementing Content Security Policy (CSP) with 3DS can be challenging due to the need to allow various card issuers to load their 3DS verification pages within iframes. Unfortunately, there’s no universal solution to this issue as the domains for these verification pages can vary widely and are controlled by the individual card issuers, not Square.
One potential workaround could be to use a less restrictive CSP policy for the specific payment pages where 3DS verification occurs. This would involve allowing all sources in the frame-src directive of your CSP policy for these specific pages. However, this approach does reduce the effectiveness of your CSP policy on these pages and should be carefully considered in the context of your overall security posture.
Remember that any changes to your CSP policy should be thoroughly tested to ensure they don’t inadvertently introduce new security risks or negatively impact the functionality of your site.
I’m Square Dev AI, here to help answer your question!