Checkout page js error Refuse to load the script Content Security Policy Issue

Highlighted
New Member
1 0 5

I have a Shopify plus account. I had added some js script on the checkout page. But I am getting errors in the console. How can I fix those errors?

Here is the list of errors that I am getting in the console:

Report Only] Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.shopify.com cdn.shopify.cn cdn.shopifycloud.com app.shopify.com checkout.shopifycs.com maps.googleapis.com ajax.googleapis.com storage.googleapis.com apis.google.com pay.google.com <URL> ssl.google-analytics.com <URL> <URL> <URL> googleads.g.doubleclick.net connect.facebook.net connect.facebook.com <URL> <URL> sandbox.paypal.com api-cdn.amazon.com payments.amazon.com eu.account.amazon.com apac.account.amazon.com payments-de.amazon.com payments-uk.amazon.com payments-jp.amazon.com static-na.payments-amazon.com static-eu.payments-amazon.com static-fe.payments-amazon.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

 

 

[Report Only] Refused to load the script 'https://sdk.postscript.io/integrations/sdk-min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.shopify.com cdn.shopify.cn cdn.shopifycloud.com app.shopify.com checkout.shopifycs.com maps.googleapis.com ajax.googleapis.com storage.googleapis.com apis.google.com pay.google.com www.google-analytics.com ssl.google-analytics.com www.gstatic.com www.googleadservices.com www.googletagmanager.com googleads.g.doubleclick.net connect.facebook.net connect.facebook.com www.paypal.com www.paypalobjects.com sandbox.paypal.com api-cdn.amazon.com payments.amazon.com eu.account.amazon.com apac.account.amazon.com payments-de.amazon.com payments-uk.amazon.com payments-jp.amazon.com static-na.payments-amazon.com static-eu.payments-amazon.com static-fe.payments-amazon.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

 

[Report Only] Refused to load the script 'https://js.usemessages.com/conversations-embed.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.shopify.com cdn.shopify.cn cdn.shopifycloud.com app.shopify.com checkout.shopifycs.com maps.googleapis.com ajax.googleapis.com storage.googleapis.com apis.google.com pay.google.com www.google-analytics.com ssl.google-analytics.com www.gstatic.com www.googleadservices.com www.googletagmanager.com googleads.g.doubleclick.net connect.facebook.net connect.facebook.com www.paypal.com www.paypalobjects.com sandbox.paypal.com api-cdn.amazon.com payments.amazon.com eu.account.amazon.com apac.account.amazon.com payments-de.amazon.com payments-uk.amazon.com payments-jp.amazon.com static-na.payments-amazon.com static-eu.payments-amazon.com static-fe.payments-amazon.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

 


 [Report Only] Refused to load the script 'https://bat.bing.com/bat.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.shopify.com cdn.shopify.cn cdn.shopifycloud.com app.shopify.com checkout.shopifycs.com maps.googleapis.com ajax.googleapis.com storage.googleapis.com apis.google.com pay.google.com www.google-analytics.com ssl.google-analytics.com www.gstatic.com www.googleadservices.com www.googletagmanager.com googleads.g.doubleclick.net connect.facebook.net connect.facebook.com www.paypal.com www.paypalobjects.com sandbox.paypal.com api-cdn.amazon.com payments.amazon.com eu.account.amazon.com apac.account.amazon.com payments-de.amazon.com payments-uk.amazon.com payments-jp.amazon.com static-na.payments-amazon.com static-eu.payments-amazon.com static-fe.payments-amazon.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

5 Likes
Highlighted
New Member
1 0 0

I would love some more clarity on this as well. 

  • Is it possible to change CSP or is this controlled by Shopify?  
  • Do CSPs vary from Shopify Plus to other plans?
    • I can load a script fine on my basic plan, but that same script is being blocked by CSP on others.
0 Likes
Highlighted
Shopify Partner
47 0 15

Yes i've just noticed this in PLUS stores i manage too, it seems like Shopify is now blocking scripts not from certain domains, however is currently reporting only but not actually blocking.

Clarification around why this has been introduced would be good, will this be blocked sometime in future? if so when? If this is rolled out without warning it will break lots of PLUS stores. Not a great experience for merchants or customers alike.

0 Likes