Content Security Policy Reports - Apps Requests

MerchantYard
Tourist
10 0 2

Hello,

There is an issue with apps scripts/requests, It throws an error on browser console related to security CSP reports, Here is an example error:

[Report Only] Refused to connect to 'https://XXX' because it violates the following Content Security Policy directive: "connect-src 'self' .shopifycloud.com .shopifysvc.com .amazon.com .paypal.com *.facebook.com sessions.bugsnag.com analytics.tiktok.com bat.bing.com www.google-analytics.com ct.pinterest.com stats.g.doubleclick.net".

So it seems external scripts are allowed from certain domains only.

Please help.

Thanks

0 Likes
_JB
Shopify Staff
Shopify Staff
834 98 183

Hey @MerchantYard,

The error shows [Report Only] which means the error is informational and shouldn't affect how the script loads. Can you confirm in the network console that the script is indeed being blocked? If this is the case please provide a shop_id or page URL and we can investigate further.

JB | Developer Support @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

0 Likes
dog-kitchen
New Member
3 0 0

Was this resolved? We are having the same issue, and it seems to be preventing some other javascript on our cart page from running, which prevents customers from being able to checkout. Luckily we haven't launched the store yet, but definitely need to resolve this asap. @_JB can you take a look at our page? It's here. Thanks!

 

0 Likes
_JB
Shopify Staff
Shopify Staff
834 98 183

Hey @dog-kitchen,

I'm not seeing anything in the console, what are you seeing that suggests there's an issue?

Note that if the console error shows [Report Only] this indicates the policy isn't actually being enforced, so any scripts that show up in an error like this aren't being blocked.

JB | Developer Support @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

0 Likes
dog-kitchen
New Member
3 0 0

I see the [Report Only] warning on cart page (not ajax cart-- you can get to cart page by viewing on mobile), but now i'm not seeing it anymore. The issue that may have been related was that hitting the "Checkout" button from cart page was causing a page reload instead of moving the user into checkout. I'm not able to replicate it anymore though, unfortunately.

 

0 Likes
ask_the_bird
Tourist
10 0 5

Could you please log this as a warning instead?

Errors harm performance metrics (which themselves factor into pagerank) and should be used to indicate an actual runtime problem.

0 Likes
ask_the_bird
Tourist
10 0 5

My earlier comment had a misunderstanding. Researching this further, this console error is emitted by Chrome (and likely other browsers) and is controlled by the document's 'content-security-policy-report-only' header. I can't fault Shopify for wanting to use this header, so I have sent feedback to Chrome requesting that this log at the warning level.

0 Likes