Home > Blockchain >  Do I need to worry about Stripe "payment_intent_client_secret"s leaking?
Do I need to worry about Stripe "payment_intent_client_secret"s leaking?

Time:07-09

I've been testing a Stipe implementation against their test cards. All of them perform as expected, but the first 3 3DS Required cards (as opposed to 3DS2) throw a bunch of errors in the browser console:

[Error] The Content Security Policy directive 'frame-ancestors' is ignored when delivered in a report-only policy.
[Error] [Report Only] Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. (test_source_3ds, line 96)
[Error] [Report Only] Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. (test_source_3ds, line 98)
[Error] [Report Only] Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. (test_source_3ds, line 145)
[Error] [Report Only] Refused to load https://fast.fonts.net/t/1.css?apiType=css&projectid=4414faae-0f1e-48be-9319-851fc710f613 because it does not appear in the style-src directive of the Content Security Policy. (x2)
[Error] [Report Only] Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. (test_source_3ds, line 286, x5)
[Error] Failed to load resource: the server responded with a status of 404 () (index-123dfdc61622c51a9de7.min.css.map, line 0)
[Error] Failed to load resource: the server responded with a status of 404 () (index-1c379baa22db1e91b0f5.min.css.map, line 0)
[Error] [Report Only] Refused to load https://hooks.stripe.com/three_d_secure/redirect_complete/acct_1Ks5eEJk0JZEEkV1/tdsrc_1LJNBMJk0JZEEkV1t6uTeC4Y because it does not appear in the form-action directive of the Content Security Policy. (x2)

I assume those "Report Only" items are inconsequential (though I don't know why they get thrown as errors instead of warnings), but then, after the transaction completes (or fails), it throws some errors that include "payment_intent_client_secret" and "payment_intent":

[Error] Refused to load http://localhost:3000/?payment_intent=pi_3LJNBCJk0JZEEkV11lhu6GfN&payment_intent_client_secret=pi_3LJNBCJk0JZEEkV11lhu6GfN_secret_KA1mmJKPHNqgHvc2Tb62LgnI1&source_redirect_slug=test_YWNjdF8xS3M1ZUVKazBKWkVFa1YxLF9NMVExQTFhWXo2RDgxYnpDTHlidW1DbVZ4eVVNOTdv0100Efqqsukb&source_type=card#register because it does not appear in the frame-src directive of the Content Security Policy.
[Error] [Report Only] Refused to load http://localhost:3000/?payment_intent=pi_3LJNBCJk0JZEEkV11lhu6GfN&payment_intent_client_secret=pi_3LJNBCJk0JZEEkV11lhu6GfN_secret_KA1mmJKPHNqgHvc2Tb62LgnI1&source_redirect_slug=test_YWNjdF8xS3M1ZUVKazBKWkVFa1YxLF9NMVExQTFhWXo2RDgxYnpDTHlidW1DbVZ4eVVNOTdv0100Efqqsukb&source_type=card#register because it does not appear in the frame-src directive of the Content Security Policy.

Of course, this may only be happening because I'm developing on localhost, though it is curious that it doesn't happen for the other 3DS cards.

The console errors notwithstanding, everything works as expected from a user perspective. The question is, is this something I need to worry about in production, or can I just ignore it. In particular, the fact that those last errors are revealing "secrets" seems worrisome.

The test cards which cause this are:

  • 4000000000003063
  • 4000008400001629
  • 4000008400001280

All other cards, including 3DS2 cards, seem fine, so it may just be something with their test implementation on the back end.

CodePudding user response:

As you rightly identified, most of these errors are due to loading the outdated 3DSv1 content into the modal presented to the user. As you noticed the 3DS2 implementation does not experience these errors.

Those URLs with the http://localhost:3000/ and the parameters look to be how you are configuring the redirect URL, since Stripe supports passing variables like client_secret. However this is bad practice as the docs call out here (look for the amber alert box at the bottom).

I would suggest you review the success and/or redirect URLs you are providing both for the Payment Intent and the rendering of the Payment Element to ensure you aren't inadvertently embedding the client_secret directly.

  • Related