Posted on

CCryptographic NONCE in Content Security Policy

My site is on Apache, the host has enabled 'mod_unique_id'
My CSP runs in the root .htaccess.
My host has given me 2 lines of code to put in the CSP to make an unrecognisable base64 NONCE code each time it's needed - particularly for PayPal.
What they sent (in bold):
`

<IfModule mod_headers.c>
    **Header set X-Nonce "expr=%{base64:%{reqenv:UNIQUE_ID}}"
    Header set Content-Security-Policy "expr=default-src 'self'; script-src 'self' 'nonce-%{base64:%{reqenv:UNIQUE_ID}}'"**`

The 2 lines of code go in my .htaccess somewhere, I'm pretty confident about the script-src but the bit that's throwing me is the expr=default-src: - is that a new directive?

This is the Header set Content-Security-Policy "frame-ancestors 'self' twitter.com t.co;block-all-mixed-content;default-src 'unsafe-inline' https://www.(my website).com https://www.paypal.com https://www.clarity.ms https://www.google.com https://www.paypalobjects.com;script-src 'nonce-YSBmcmllbmQgaXMgYSBwZXJzb29uIHRoYXQgd2Fsa3MgaW4gd2hlbiB0aGUgb3RoZXJzIHdhbGsgb3V0'

I need someone who knows about CSP, the directives and the workings of the NONCE to help me set it up. My regular developer can't help me, my host has no idea, nor can a reputable developer whom I call on.
Anyone? Thanks in anticipation, Steve

Posted on

Content Security Policy / PayPal

Anyone here had experience with PayPal Content Security Policy?
I tried to make a dummy purchase using Chrome Developer tools and this message is written in the bottom box: Content Security Policy blocks inline execution of scripts and stylesheets
(See attachment)
There must be a line of code to go in the <head> lurking somewhere, PayPal doesn't want to make it simple.
So, does anyone have any knowledge of this CSP? It's certainly preventing any PayPal sales that's for sure.

CSP1.png

Posted on

PayPal IPN for Digital Goods

I appreciate you helping me with this problem, thank you. I have lots of pages in my shop, they are all <form> Add to Cart and the View Cart, they both work when I make a 1p sale, but I don't get the option of paying with PayPal, just my Debit card. Here is my button code, it's the same format on all my pages, it's just the code that's different.

I use a test-listener.htm (which is also in the root directory on my server) and it finds the IPN and it goes straight to where it lives on the thankyou.php page.
Thee thankyou.php page has html which assures the customer his/her transaction is received.
BUT, there's no download urls for the customer's order to be downloaded, even though they're in the PayPal 'return url' box.

This is completely baffling me and has been since before Xmas, I trid to install the smart buttons but lordy, that one was a maze, I had to give upon it!
I'd be so grateful for any clues, I get good hits on my site, but my sales have been zilch, apart from the odd one or two that slipped in somehow. I watch ms clarity and see the cart buttons clicked on, so there is activity.
Regards and gratitude, I hope I've explained it OK, from Steve