Summary
Add support for Content Security Policy (CSP) nonce parameter to allow the Google Pay Button to work with restrictive CSP policies by passing the nonce to dynamically injected scripts and styles.
Problem Statement
Currently, the Google Pay Button injects scripts and styles dynamically without CSP nonce support, making it incompatible with strict CSP policies. This is particularly problematic for:
- Checkout-as-a-Service platforms
- Applications with restrictive security policies
- E-commerce sites that need to prevent unauthorized script execution while allowing legitimate payment processors
Current Workaround Limitations
The only current workaround is adding SHA-256 hashes to CSP policies for each injected script/style:
- Hashes change when Google updates the button implementation
- Requires manual maintenance and monitoring for updates
- Not scalable for production environments
Proposed Solution
Add a nonce parameter to the Google Pay Button configuration that gets passed to all dynamically injected scripts and styles.
API Proposal
// Existing API
const paymentsClient = new google.payments.api.PaymentsClient({
environment: 'TEST' // or 'PRODUCTION'
});
// Proposed enhancement
const paymentsClient = new google.payments.api.PaymentsClient({
environment: 'TEST',
nonce: 'abc123def456' // CSP nonce value
});Implementation Details
When nonce is provided:
- All dynamically created
<script> tags should include nonce="${nonce}"
- All dynamically created
<style> tags should include nonce="${nonce}"
- Any inline styles should also respect the nonce parameter
Precedent
Samsung Pay Web already implements this feature successfully:
Use Case
I operate a checkout-as-a-service platform where:
- Users can install Google Tag Manager and other third-party scripts
- Strict CSP policies prevent unauthorized data capture (especially payment data)
- Need to allow legitimate payment processors while maintaining security
Expected Behavior
<!-- Current CSP policy requirement (brittle) -->
<meta http-equiv="Content-Security-Policy"
content="script-src 'self' 'sha256-abc123...' 'sha256-def456...';
style-src 'self' 'sha256-ghi789...'">
<!-- Desired CSP policy with nonce support -->
<meta http-equiv="Content-Security-Policy"
content="script-src 'self' 'nonce-abc123def456';
style-src 'self' 'nonce-abc123def456'">Benefits
- Security: Better CSP compliance without compromising security
- Maintainability: No need to update hashes when Google updates the button
- Scalability: Works consistently across different versions
- Industry Standard: Aligns with modern web security practices
Impact: Enables Google Pay adoption in security-restricted environments
Summary
Add support for Content Security Policy (CSP) nonce parameter to allow the Google Pay Button to work with restrictive CSP policies by passing the nonce to dynamically injected scripts and styles.
Problem Statement
Currently, the Google Pay Button injects scripts and styles dynamically without CSP nonce support, making it incompatible with strict CSP policies. This is particularly problematic for:
Current Workaround Limitations
The only current workaround is adding SHA-256 hashes to CSP policies for each injected script/style:
Proposed Solution
Add a
nonceparameter to the Google Pay Button configuration that gets passed to all dynamically injected scripts and styles.API Proposal
Implementation Details
When
nonceis provided:<script>tags should includenonce="${nonce}"<style>tags should includenonce="${nonce}"Precedent
Samsung Pay Web already implements this feature successfully:
Use Case
I operate a checkout-as-a-service platform where:
Expected Behavior
Benefits
Impact: Enables Google Pay adoption in security-restricted environments