|
Does anyone have any experience with iframes and CSP? I'm having this issue at work and it's just driving me crazy. Our site has a pretty strict CSP, and it includes a list of frame-src entries for which domains can be embedded as iframes. We're switching over from stripe to an alternative payment provider. When you pay with a credit card, your bank's 3DS page gets shown by the payment provider (stripe, for example) in an iframe. Normally, your CSP would prevent these iframes, but stripe avoids this by first creating their own iframe (with no CSP), which our CSP allows, and then that iframe displays the 3DS iframes for various banks. The new payment provider (adyen) just tries to directly show the 3DS iframes within our page. Of course, our CSP blocks this. They've told us to either relax our CSP (no go) our keep our own list of bank domains and include them in our CSP (unrealistic). So our idea was to emulate stripe and create a subdomain of our own with no CSP that then displays the iframes for banks. Seems like it should work, and from what I've read, iframes shouldn't inherit the CSP of their parent frames. But when our iframe tries to load up the bank's iframe, those get blocked saying they violate the CSP, and then there's a list of the CSP entries of the parent frame. We've even tried setting frame-src to * in the child frame, but to no avail. Also tried using a different tld, same thing. So should iframes inherit the CSP of their parent frames or not? Lots of docs online (although they're pretty scarce about the topic) say they shouldn't, but to me it seems like they do. Is there a way around this? If you've come this far reading thank you. I don't really expect people here to waste a lot of time on this issue without being paid, I'm just wondering if maybe someone has had a similar experience and can point me in the right direction.
|
# ¿ Dec 7, 2023 14:40 |
|
|
# ¿ May 17, 2024 01:58 |
|
They're working on React Forget I think, which would make it so you don't have to use carefully use useMemo and useCallback for render optimization, which would be great
|
# ¿ Dec 8, 2023 14:53 |