FROM CACHE - en_header

Checkout page js error Refuse to load the script Content Security Policy Issue

ChandniHanda
New Member
1 0 10

I have a Shopify plus account. I had added some js script on the checkout page. But I am getting errors in the console. How can I fix those errors?

Here is the list of errors that I am getting in the console:

Report Only] Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.shopify.com cdn.shopify.cn cdn.shopifycloud.com app.shopify.com checkout.shopifycs.com maps.googleapis.com ajax.googleapis.com storage.googleapis.com apis.google.com pay.google.com <URL> ssl.google-analytics.com <URL> <URL> <URL> googleads.g.doubleclick.net connect.facebook.net connect.facebook.com <URL> <URL> sandbox.paypal.com api-cdn.amazon.com payments.amazon.com eu.account.amazon.com apac.account.amazon.com payments-de.amazon.com payments-uk.amazon.com payments-jp.amazon.com static-na.payments-amazon.com static-eu.payments-amazon.com static-fe.payments-amazon.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

 

 

[Report Only] Refused to load the script 'https://sdk.postscript.io/integrations/sdk-min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.shopify.com cdn.shopify.cn cdn.shopifycloud.com app.shopify.com checkout.shopifycs.com maps.googleapis.com ajax.googleapis.com storage.googleapis.com apis.google.com pay.google.com www.google-analytics.com ssl.google-analytics.com www.gstatic.com www.googleadservices.com www.googletagmanager.com googleads.g.doubleclick.net connect.facebook.net connect.facebook.com www.paypal.com www.paypalobjects.com sandbox.paypal.com api-cdn.amazon.com payments.amazon.com eu.account.amazon.com apac.account.amazon.com payments-de.amazon.com payments-uk.amazon.com payments-jp.amazon.com static-na.payments-amazon.com static-eu.payments-amazon.com static-fe.payments-amazon.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

 

[Report Only] Refused to load the script 'https://js.usemessages.com/conversations-embed.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.shopify.com cdn.shopify.cn cdn.shopifycloud.com app.shopify.com checkout.shopifycs.com maps.googleapis.com ajax.googleapis.com storage.googleapis.com apis.google.com pay.google.com www.google-analytics.com ssl.google-analytics.com www.gstatic.com www.googleadservices.com www.googletagmanager.com googleads.g.doubleclick.net connect.facebook.net connect.facebook.com www.paypal.com www.paypalobjects.com sandbox.paypal.com api-cdn.amazon.com payments.amazon.com eu.account.amazon.com apac.account.amazon.com payments-de.amazon.com payments-uk.amazon.com payments-jp.amazon.com static-na.payments-amazon.com static-eu.payments-amazon.com static-fe.payments-amazon.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

 


 [Report Only] Refused to load the script 'https://bat.bing.com/bat.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.shopify.com cdn.shopify.cn cdn.shopifycloud.com app.shopify.com checkout.shopifycs.com maps.googleapis.com ajax.googleapis.com storage.googleapis.com apis.google.com pay.google.com www.google-analytics.com ssl.google-analytics.com www.gstatic.com www.googleadservices.com www.googletagmanager.com googleads.g.doubleclick.net connect.facebook.net connect.facebook.com www.paypal.com www.paypalobjects.com sandbox.paypal.com api-cdn.amazon.com payments.amazon.com eu.account.amazon.com apac.account.amazon.com payments-de.amazon.com payments-uk.amazon.com payments-jp.amazon.com static-na.payments-amazon.com static-eu.payments-amazon.com static-fe.payments-amazon.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Replies 13 (13)
Slub
New Member
1 0 0

I would love some more clarity on this as well. 

  • Is it possible to change CSP or is this controlled by Shopify?  
  • Do CSPs vary from Shopify Plus to other plans?
    • I can load a script fine on my basic plan, but that same script is being blocked by CSP on others.
Parcel_Intellig
Shopify Partner
90 1 39

Yes i've just noticed this in PLUS stores i manage too, it seems like Shopify is now blocking scripts not from certain domains, however is currently reporting only but not actually blocking.

Clarification around why this has been introduced would be good, will this be blocked sometime in future? if so when? If this is rolled out without warning it will break lots of PLUS stores. Not a great experience for merchants or customers alike.

marc_od
New Member
2 0 0

Same here. Are there any updates on this?

Parcel_Intellig
Shopify Partner
90 1 39

Shopify let me know that they were using this to track script errors but no current plans to lock this down. The error is a report level error only, so you aren't actually impacted at the moment.

marc_od
New Member
2 0 0

Thank you for the info @Parcel_Intellig. That's good news! I saw that CSP is in Report only mode but you never know 😉

saulvg1
Shopify Partner
4 0 0

Is this still the case? I ran into this issue when I add shipping info using javascript and all I see when this console error occures is that the Shipping inputs area all marked red for required like none of my info was saved from the previous page. 

attotasolutions
Shopify Partner
26 0 17

To Shopify Team,
Dont' you feel responsible to respond on issues from shopify? If you have lack of support, please hire us.

M0w45
Excursionist
34 0 6

Just following this thread as I'm also seeing quite a few report-only errors using both Chrome and Firefox.

These errors mention a few of the apps I am using, as well as MS Clarity we use to track user behaviour throughout the checkout funnel.

Any response from Shopify would be greatly appreciated.

Space_Foundry
Excursionist
14 0 0

I am having this issue with my store right now as well.

DeVanite
New Member
1 0 1

Similar error is being sent to my customers when clicking a link to access their abandoned cart: "14[Report Only] Refused to frame '<URL>' because it violates the following Content Security Policy directive: "child-src c.paypal.com cdn.shopify.com cdn.shopifycdn.net". Note that 'frame-src' was not explicitly set, so 'child-src' is used as a fallback. "

This code in particular redirects the customer to the "payment info" page instead of their actual cart where they can apply discount codes or modify their order prior to checking out/purchasing.

 

I use the app SMS Bump to recover abandoned carts and thought it may be an issue on their part. After speaking with their help desk, I was told that it's a Shopify issue and have yet to find a solution to this issue.

 

I currently have the Basic Shopify Plan with the Mr. Parker 2.0 theme installed

GizliSekme
Tourist
7 0 4
Shamiq
Shopify Partner
3 0 0

Hoping for a response from the Shopify support team, as I have marked this issue as new.

Quico
Shopify Partner
4 0 4

Same error… Hoping for an update!