I have an ASP.NET view with an iframe to the PayPal BrainTree sandbox. The BrainTree checkout loads fine but throws this error into the console:
Refused to load the script 'https://static.cloudflareinsights.com/beacon.min.js/...' because it violates the following Content Security Policy directive: "script-src 'self''unsafe-inline' *.braintreegateway.com *.braintree-api.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
That CloudFlare link is deep inside the iframe's #document. Here's my view's Razor:
<body>@using (Html.BeginForm("Checkout", "BrainTree", FormMethod.Post, new { id = "payment-form"})) {<div id="dropin-container"></div><input type="submit" /><input type="hidden" id="nonce" name="payment_method_nonce" /> }<span id="token" style="display:none">@ViewBag.ClientToken</span></body>@section Scripts {<script src="https://js.braintreegateway.com/web/dropin/1.44.1/js/dropin.min.js"></script><script src="~/Scripts/BrainTree/braintree.js"></script>}Is this something that I can fix by adding a CSP to my app or is it something that must be addressed by BrainTree?
Thank you.