🚨
This guide is only relevant for the Web integration.
A Content-Security-Policy header helps to protect your checkout page from cross-site scripting attacks by allowing you to define where resources can be loaded from.
You'll need to add a few things to your allowlist:
| Policy | Origin | Notes |
|---|---|---|
script-src | sdk.sandbox.primer.io | required |
script-src | sdk.production.primer.io | required |
frame-src | *.primer.io | required |
style-src | *.primer.io | required |
style-src | 'unsafe-inline' | required |
connect-src | *.primer.io | required |
frame-src | *.3dsecure.io | For 3DS |
frame-src | *.cardinalcommerce.com | For 3DS |
script-src | x.klarnacdn.net | For Klarna Payments |
connect-src | x.klarna.com | For Klarna Payments |
script-src | *.paypal.com | For PayPal Payments |
frame-src | *.paypal.com | For PayPal Payments |
connect-src | *.paypal.com | For PayPal Payments |
img-src | *.paypal.com | For PayPal Payments |
script-src | *.paypalobjects.com | For PayPal Payments |
img-src | *.paypalobjects.com | For PayPal Payments |
script-src | js.stripe.com | For Stripe Payments |
connect-src | *.stripe.com | For Stripe Payments |