Urgent Sandbox issue. Our product has been successfully using the Accept Hosted payment method for years now where we embed the form in an iFrame. Recently the Chrome and Edge browsers started enforcing a content security policy that is blocking the action of the hosted form. Is anyone else experiencing this issue? We can't change anything in the embedded form provided by Authorize.Net to avoid the CSP issues, so we are helpless.
Error from browser console:
Executing inline script violates the following Content Security Policy directive 'script-src 'self' 'nonce-JPULaiHJBUucGA4TtPGSGA==' blob: https://*.ads-twitter.com https://*.authorize.net https://*.bing.com https://*.ceros.com https://*.contentsquare.com https://*.contentsquare.net https://*.cookiereports.com https://*.doubleclick.net https://*.eloqua.com https://*.en25.com https://*.facebook.net https://*.google-analytics.com https://*.google.com https://*.googleadservices.com https://*.googletagmanager.com https://*.gstatic.com https://*.idio.episerver.net https://*.licdn.com https://*.linkedin.com https://*.optimizely.com https://*.storygize.com https://*.twitter.com https://*.visa.com https://*.youtube.com https://api.company-target.com https://cdn-assets-prod.s3.amazonaws.com https://code.jquery.com https://company-target.com https://id.rlcdn.com https://optimizely.s3.amazonaws.com https://rlcdn.com https://s.company-target.com https://scripts.demandbase.com https://segments.company-target.com https://storygize.com https://tag-logger.demandbase.com https://tag.demandbase.com https://<domain and path>/IFrameCommunicator.html'. Either the 'unsafe-inline' keyword, a hash ('sha256-rQFcSQ+uPvBBS36Ebz2AA8DWF5LxdwuQKeLhxEfN+Ec='), or a nonce ('nonce-...') is required to enable inline execution. The action has been blocked.
This is ONLY happening in the sandbox environments, not in production environments. However, our company replies on these sandbox environments to test and support hundreds of customers, but now we can no longer use them.
