Checkout page js error Refuse to load the script Content Security Policy Issue

I have a Shopify plus account. I had added some js script on the checkout page. But I am getting errors in the console. How can I fix those errors?

Here is the list of errors that I am getting in the console:

Report Only] Refused to load the script ‘’ because it violates the following Content Security Policy directive: “script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ cdn.shopify.com cdn.shopify.cn cdn.shopifycloud.com app.shopify.com checkout.shopifycs.com maps.googleapis.com ajax.googleapis.com storage.googleapis.com apis.google.com pay.google.com ssl.google-analytics.com googleads.g.doubleclick.net connect.facebook.net connect.facebook.com sandbox.paypal.com api-cdn.amazon.com payments.amazon.com eu.account.amazon.com apac.account.amazon.com payments-de.amazon.com payments-uk.amazon.com payments-jp.amazon.com static-na.payments-amazon.com static-eu.payments-amazon.com static-fe.payments-amazon.com”. Note that ‘script-src-elem’ was not explicitly set, so ‘script-src’ is used as a fallback.

[Report Only] Refused to load the script ‘https://sdk.postscript.io/integrations/sdk-min.js’ because it violates the following Content Security Policy directive: “script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ cdn.shopify.com cdn.shopify.cn cdn.shopifycloud.com app.shopify.com checkout.shopifycs.com maps.googleapis.com ajax.googleapis.com storage.googleapis.com apis.google.com pay.google.com www.google-analytics.com ssl.google-analytics.com www.gstatic.com www.googleadservices.com www.googletagmanager.com googleads.g.doubleclick.net connect.facebook.net connect.facebook.com www.paypal.com www.paypalobjects.com sandbox.paypal.com api-cdn.amazon.com payments.amazon.com eu.account.amazon.com apac.account.amazon.com payments-de.amazon.com payments-uk.amazon.com payments-jp.amazon.com static-na.payments-amazon.com static-eu.payments-amazon.com static-fe.payments-amazon.com”. Note that ‘script-src-elem’ was not explicitly set, so ‘script-src’ is used as a fallback.

[Report Only] Refused to load the script ‘https://js.usemessages.com/conversations-embed.js’ because it violates the following Content Security Policy directive: “script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ cdn.shopify.com cdn.shopify.cn cdn.shopifycloud.com app.shopify.com checkout.shopifycs.com maps.googleapis.com ajax.googleapis.com storage.googleapis.com apis.google.com pay.google.com www.google-analytics.com ssl.google-analytics.com www.gstatic.com www.googleadservices.com www.googletagmanager.com googleads.g.doubleclick.net connect.facebook.net connect.facebook.com www.paypal.com www.paypalobjects.com sandbox.paypal.com api-cdn.amazon.com payments.amazon.com eu.account.amazon.com apac.account.amazon.com payments-de.amazon.com payments-uk.amazon.com payments-jp.amazon.com static-na.payments-amazon.com static-eu.payments-amazon.com static-fe.payments-amazon.com”. Note that ‘script-src-elem’ was not explicitly set, so ‘script-src’ is used as a fallback.

[Report Only] Refused to load the script ‘https://bat.bing.com/bat.js’ because it violates the following Content Security Policy directive: “script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ cdn.shopify.com cdn.shopify.cn cdn.shopifycloud.com app.shopify.com checkout.shopifycs.com maps.googleapis.com ajax.googleapis.com storage.googleapis.com apis.google.com pay.google.com www.google-analytics.com ssl.google-analytics.com www.gstatic.com www.googleadservices.com www.googletagmanager.com googleads.g.doubleclick.net connect.facebook.net connect.facebook.com www.paypal.com www.paypalobjects.com sandbox.paypal.com api-cdn.amazon.com payments.amazon.com eu.account.amazon.com apac.account.amazon.com payments-de.amazon.com payments-uk.amazon.com payments-jp.amazon.com static-na.payments-amazon.com static-eu.payments-amazon.com static-fe.payments-amazon.com”. Note that ‘script-src-elem’ was not explicitly set, so ‘script-src’ is used as a fallback.

I would love some more clarity on this as well.

• Is it possible to change CSP or is this controlled by Shopify?
• Do CSPs vary from Shopify Plus to other plans?
  • I can load a script fine on my basic plan, but that same script is being blocked by CSP on others.

Yes i’ve just noticed this in PLUS stores i manage too, it seems like Shopify is now blocking scripts not from certain domains, however is currently reporting only but not actually blocking.

Clarification around why this has been introduced would be good, will this be blocked sometime in future? if so when? If this is rolled out without warning it will break lots of PLUS stores. Not a great experience for merchants or customers alike.

Same here. Are there any updates on this?

Shopify let me know that they were using this to track script errors but no current plans to lock this down. The error is a report level error only, so you aren’t actually impacted at the moment.

Thank you for the info @Parcel_Intellig . That’s good news! I saw that CSP is in Report only mode but you never know

Is this still the case? I ran into this issue when I add shipping info using javascript and all I see when this console error occures is that the Shipping inputs area all marked red for required like none of my info was saved from the previous page.

To Shopify Team,
Dont’ you feel responsible to respond on issues from shopify? If you have lack of support, please hire us.

Just following this thread as I’m also seeing quite a few report-only errors using both Chrome and Firefox.

These errors mention a few of the apps I am using, as well as MS Clarity we use to track user behaviour throughout the checkout funnel.

Any response from Shopify would be greatly appreciated.

I am having this issue with my store right now as well.

Similar error is being sent to my customers when clicking a link to access their abandoned cart: "14[Report Only] Refused to frame ‘’ because it violates the following Content Security Policy directive: “child-src c.paypal.com cdn.shopify.com cdn.shopifycdn.net”. Note that ‘frame-src’ was not explicitly set, so ‘child-src’ is used as a fallback. "

This code in particular redirects the customer to the “payment info” page instead of their actual cart where they can apply discount codes or modify their order prior to checking out/purchasing.

I use the app SMS Bump to recover abandoned carts and thought it may be an issue on their part. After speaking with their help desk, I was told that it’s a Shopify issue and have yet to find a solution to this issue.

I currently have the Basic Shopify Plan with the Mr. Parker 2.0 theme installed

Any updates regarding this topic? @Shopify_77

Hoping for a response from the Shopify support team, as I have marked this issue as new.

Same error… Hoping for an update!

Same problem here. #Weneedshopifytorespond !!!

Hey I am facing the same issue with my store.

Your payment can’t be processed for technical reasons. Try again or use a different payment method.

Screenshot 2022-10-02 at 1.04.44 PM.png2940×1210 596 KB

same issue here, can you solve it for your store?