You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, I am not an expert in PCI DSS 4.0 by any means but am understanding from some of our partners that one of its requirements will be to have a content security policy and also discusses monitoring remote scripts.
I assume the language in 6.4.3 of the spec means that how the CSP rules for the drop in form (without Paypal) will be workable.
But opting for the paypal option I see the following script src directives: www.paypalobjects.com
*.paypal.com
'unsafe-inline'
Please correct me if I'm wrong, but my understanding of CSP is such that this is not one entry, but 3 distinct script-src entries. If that is true, adding unsafe-inline seems to render the script segment of this tool as a security mechanism useless for the other protections we're supposed to be implementing on this page. I understand the reasons they have to list it here to make Paypal's implementation work as it stands, but are there any plans to update that implementation so that the unsafe-inline block isn't needd.
Thanks
The text was updated successfully, but these errors were encountered:
Hi, I am not an expert in PCI DSS 4.0 by any means but am understanding from some of our partners that one of its requirements will be to have a content security policy and also discusses monitoring remote scripts.
I assume the language in 6.4.3 of the spec means that how the CSP rules for the drop in form (without Paypal) will be workable.
But opting for the paypal option I see the following script src directives:
www.paypalobjects.com
*.paypal.com
'unsafe-inline'
Please correct me if I'm wrong, but my understanding of CSP is such that this is not one entry, but 3 distinct script-src entries. If that is true, adding unsafe-inline seems to render the script segment of this tool as a security mechanism useless for the other protections we're supposed to be implementing on this page. I understand the reasons they have to list it here to make Paypal's implementation work as it stands, but are there any plans to update that implementation so that the unsafe-inline block isn't needd.
Thanks
The text was updated successfully, but these errors were encountered: