Content Security Policy for payment method names.

[Rouslan Solomakhin]

If you don't have content security policy enabled on your website, you can stop reading now.

TL;DR: If you use a URL payment method such as https://some.url in PaymentRequest, then make sure that your content security policy allows access to https://some.url.

Hi developers,

Starting from Chrome 90, if your page's content security policy (CSP) blocks access to https://some.url, then constructing a PaymentRequest with a payment method of https://some.url will fail with an exception:

RangeError: Failed to construct 'PaymentRequest': https://some.url payment method identifier violates Content Security Policy.

This change should help to detect and mitigate certain types of attacks, such as Cross Site Scripting.

Setting up CSP can be an involved process, so if you don't know whether your website has it enabled, then most likely it does not. This change does not affect you in that case.

We are not aware of any websites that would be affected by this. If you're affected, then please let us know your use case. Thank you!

Cheers,

Rouslan