In the console, I see a 403 Forbidden on admin-ajax.php:
wp-admin/admin-ajax.php
Error in the console: Failed to load resource: the server responded with a status of 403 (Forbidden)
Seems proximate cause is a failure to get Stripe information in this call due to the hash/nonce ‘unsafe-line’ does not appear in the script-src directive of the Content Security Policy:
js.stripe.com/v3/m-outer-….html with parms:
url=…/donation-history?donation_id=8650
Error: Refused to execute a script because its hash, its nonce, or ‘unsafe-inline’ does not appear in the script-src directive of the Content Security Policy.
>>> Sounds like GiveWP.com needs to update the Stripe plugin. <<<
What do you say, GiveWP?
BTW, I have disabled caching on the server. There was no caching plugins so I installed WP Super Cache and excluded the donation-confirmation and donation-history pages successfully.
-
This reply was modified 5 years, 8 months ago by
mstarnes. Reason: Added comments to rule out caching as a cause
That was in Safari on Mac.
In Chrome on Windows, just before we get the 403, we see “VM75:1 Uncaught DOMException: Blocked a frame with origin “https://js.stripe.com” from accessing a cross-origin frame. at <anonymous>:1:16″
Chrome Issues explains:
Indicate whether to send a cookie in a cross-site request by specifying its SameSite attribute
Because a cookie’s SameSite attribute was not set or is invalid, it defaults to SameSite=Lax, which prevents the cookie from being sent in a cross-site request. This behavior protects user data from accidentally leaking to third parties and cross-site request forgery.
Resolve this issue by updating the attributes of the cookie:
Specify SameSite=None and Secure if the cookie should be sent in cross-site requests. This enables third-party use.
Specify SameSite=Strict or SameSite=Lax if the cookie should not be sent in cross-site requests
__stripe_mid and _stripe_sid have SameSite set to Lax and neither are Secure.
Hey @mstarnes,
Happy to help you!
The GiveWP plugin is designed to use the admin-ajax.php file used by the WordPress CMS, however sometimes this file can be blocked by a plugin or by the server. WordFence is occasionally problematic in blocking admin-ajax or other necessary items. To resolve this relatively easily, go to “WordFence > Firewall” then set the “Firewall status” to “Learning Mode”. Then tweak your Give settings or form screens a bit so WordFence can learn to NOT block assets that Give uses. Then set the “Firewall status” back to “Enabled and Protecting”.
You can read more about it and how to fix the blocked admin-ajax.php file here https://givewp.com/documentation/core/frequent-troubleshooting-issues/admin-ajax-blocked/. We have a few steps for you to follow in order to fix this issue.
Also, make sure that you have whitelisted all the URLs related to GiveWP from your cache plugins, because they can influence how the plugin works too.
When you fix the admin-ajax.php issue and whitelist ALL the URLs related to GiveWP, the Stripe warning should not influence the donation process.
On the other hand, if you still face issues after that, you may need to disable a few plugins/themes in order to test it. In this case, I suggest you follow our troubleshooting tutorials using Health Check. It allows you to isolate plugins and change themes for administrator, while the frontend still runs the live version of the website. You can see the documentation here:
https://givewp.com/documentation/resources/troubleshoot-wordpress-websites-health-check/
https://givewp.com/documentation/resources/how-to-troubleshoot-your-website-like-a-wordpress-support-engineer/
Please let us know if you have further questions on this or need any additional assistance!
