Content Security Policy

Resolved nickwuk
(@nickwuk)

7 years, 8 months ago

After the customer’s payment has been successfully taken via Paypal the customer sees a Paypal confirmation page with a ‘Return to Merchant’ button at the bottom, however the button does not work. In Paypal account preferences Auto-return is off so NOT expecting it to auto-return.

In Chrome’s Inspector there is an error in the Console that says: Refused to send form data to ‘https://mydomain.com/checkout/order-received/3083/?key=wc_order_5b6c0b0b81314&utm_nooverride=1’ because it violates the following Content Security Policy directive: “form-action ‘self’ https://*.paypal.com https://*.cardinalcommerce.com

From further reading I believe a Content Security Policy (CSP) needs adding either to the website .htaccess file or to a meta tag on the return page. Or I see there is a ‘WP Content Security Policy’ plugin. What would you recommend please?

Viewing 3 replies - 1 through 3 (of 3 total)

geigel
(@geigel)

7 years, 8 months ago

You’re not alone in experiencing this. I ran into the same problem (not WordPress related) and others have posted on Stack Overflow too. https://stackoverflow.com/questions/51767294/sandbox-paypal-is-not-redirecting-the-user-to-success-page/51786355 I think that if your server has HTTPS it might not have the problem, but not 100% certain yet.
weismannweb
(@weismannweb)

7 years, 7 months ago
This is an issue with Paypal’s Content Security Policy. CSP is a feature of browsers to prevent loading content from domains you don’t want content to load from. Their policy currently only allows this for form actions:

“form-action ‘self’ https://*.paypal.com https://*.cardinalcommerce.com”.

That means the return to merchant page only allows a form action to be on this page that as an action URL of self (the current domain) and *.paypal.com and *.cardinalcommerce.com and the way Paypal’s return to merchant button works for both when auto return is on or when you click to return to merchant it posts data to the return URL that allows verifying the completed sale. The IPN url does this too so it’s not necessary but it is something Paypal does. I wonder if posting back data can be turned off and then it might work.

They will have to dynamically add the merchant’s return URL to the CSP in order for the form POST to be allowed.

This is the message I got from Paypal…. Hello Henry, Thank you for contacting PayPal Merchant Technical Support. I am happy to assist you with this. This is a known issue that our engineering team is working on. When they have a fix I will reach out via this ticket and update you. Sincerely, Zach Global Technical Support PayPal, Inc.

PS: Having an https return url does matter unless the Paypal CSP allows the ruturn url in https form but not http form.

If you have questions feel free to reach out:
Henry Weismann
http://www.weismannweb.com
- This reply was modified 7 years, 7 months ago by weismannweb.
- This reply was modified 7 years, 7 months ago by weismannweb.
Mike W
(@nixiack8)

7 years, 7 months ago

This answer is correct and you can reach out to PayPal directly for the resolution. We will go ahead and close this post, but if you have other questions please let us know!