Accept Hosted Iframe CSP configuration concern

NScarlatoTdoc — Tue, 10 Mar 2026 21:13:20 GMT

I am framing the payment form, it loads and I can pay, but I get some errors on console.
Before loading the communicator I get these CSP errors
Executing inline script violates the following Content Security Policy directive 'script-src 'self' 'nonce-lieBPojqMUimm78ud0fuIg==' blob: https://*.ads-twitter.com https://*.authorize.net https://*.bing.com https://*.ceros.com https://*.contentsquare.com https://*.contentsquare.net https://*.cookiereports.com https://*.doubleclick.net https://*.eloqua.com https://*.en25.com https://*.facebook.net https://*.google-analytics.com https://*.google.com https://*.googleadservices.com https://*.googletagmanager.com https://*.gstatic.com https://*.idio.episerver.net https://*.licdn.com https://*.linkedin.com https://*.optimizely.com https://*.storygize.com https://*.twitter.com https://*.visa.com https://*.youtube.com https://api.company-target.com https://cdn-assets-prod.s3.amazonaws.com https://code.jquery.com https://company-target.com https://id.rlcdn.com https://optimizely.s3.amazonaws.com https://rlcdn.com https://s.company-target.com https://scripts.demandbase.com https://segments.company-target.com https://storygize.com https://tag-logger.demandbase.com https://tag.demandbase.com https://anetnahuel.master.visitstaging.org/authorize-net/9fe3ed57-950d-4a84-aa09-82b1ca7226b8/communicator'. Either the 'unsafe-inline' keyword, a hash ('sha256-rQFcSQ+uPvBBS36Ebz2AA8DWF5LxdwuQKeLhxEfN+Ec='), or a nonce ('nonce-...') is required to enable inline execution. The action has been blocked.
Executing inline script violates the following Content Security Policy directive 'script-src 'self' 'nonce-lieBPojqMUimm78ud0fuIg==' blob: https://*.ads-twitter.com https://*.authorize.net https://*.bing.com https://*.ceros.com https://*.contentsquare.com https://*.contentsquare.net https://*.cookiereports.com https://*.doubleclick.net https://*.eloqua.com https://*.en25.com https://*.facebook.net https://*.google-analytics.com https://*.google.com https://*.googleadservices.com https://*.googletagmanager.com https://*.gstatic.com https://*.idio.episerver.net https://*.licdn.com https://*.linkedin.com https://*.optimizely.com https://*.storygize.com https://*.twitter.com https://*.visa.com https://*.youtube.com https://api.company-target.com https://cdn-assets-prod.s3.amazonaws.com https://code.jquery.com https://company-target.com https://id.rlcdn.com https://optimizely.s3.amazonaws.com https://rlcdn.com https://s.company-target.com https://scripts.demandbase.com https://segments.company-target.com https://storygize.com https://tag-logger.demandbase.com https://tag.demandbase.com https://anetnahuel.master.visitstaging.org/authorize-net/9fe3ed57-950d-4a84-aa09-82b1ca7226b8/communicator'. Either the 'unsafe-inline' keyword, a hash ('sha256-rQFcSQ+uPvBBS36Ebz2AA8DWF5LxdwuQKeLhxEfN+Ec='), or a nonce ('nonce-...') is required to enable inline execution. The action has been blocked.

After I successfully do the payment I get these errors
Applying inline style violates the following Content Security Policy directive 'style-src 'self' 'nonce-lieBPojqMUimm78ud0fuIg==' https://*.authorize.net https://*.ceros.com https://*.eloqua.com https://*.google.com https://*.gsatic.com https://*.licdn.com https://*.optimizely.com https://*.visa.com https://fonts.googleapis.com https://anetnahuel.master.visitstaging.org/authorize-net/9fe3ed57-950d-4a84-aa09-82b1ca7226b8/communicator'. Either the 'unsafe-inline' keyword, a hash ('sha256-0EZqoz+oBhx7gF4nvY2bSqoGyy4zLjNF+SDQXGp/ZrY='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript&colon; navigations unless the 'unsafe-hashes' keyword is present. The action has been blocked.
Applying inline style violates the following Content Security Policy directive 'style-src 'self' 'nonce-lieBPojqMUimm78ud0fuIg==' https://*.authorize.net https://*.ceros.com https://*.eloqua.com https://*.google.com https://*.gsatic.com https://*.licdn.com https://*.optimizely.com https://*.visa.com https://fonts.googleapis.com https://anetnahuel.master.visitstaging.org/authorize-net/9fe3ed57-950d-4a84-aa09-82b1ca7226b8/communicator'. Either the 'unsafe-inline' keyword, a hash ('sha256-0EZqoz+oBhx7gF4nvY2bSqoGyy4zLjNF+SDQXGp/ZrY='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript&colon; navigations unless the 'unsafe-hashes' keyword is present. The action has been blocked.
Framing 'https://anetnahuel.master.visitstaging.org/' violates the following Content Security Policy directive: "frame-src 'self' truclinicapp: js.stripe.com cdn.visitnow.org lib.paymentjs.firstdata.com api.convergepay.com api.demo.convergepay.com test.authorize.net accept.authorize.net". The request has been blocked.

My application lives on the domain 'patient.master.visitstaging.org', my communicator comes from the domain 'master.visitstaging.org'.

How should i define my CSP rules on 'patient.master.visitstaging.org' to frame correctly the iframe?
Same question on the communicator endpoint response so it can be used inside the iframe and it can communicate with my main application?

topic Accept Hosted Iframe CSP configuration concern in Integration and Testing

Accept Hosted Iframe CSP configuration concern