Content Security Policy
If you have a CSP deployed in your website, you must include the following directives:
script-src
- https://js.basistheory.comframe-src
- https://elements.basistheory.com
<head>
<meta http-equiv="Content-Security-Policy"
content="frame-src https://elements.basistheory.com; script-src https://js.basistheory.com" />
</head>
It is strongly recommended to implement a CSP in your website to help mitigate attacks such as Cross Site Scripting (XSS).
Trusted Types
If you are using Trusted Types, you must allow dynamic script loading from the https://js.basistheory.com origin. This should be done BEFORE initialization.
trustedTypes.createPolicy("default", {
createScriptURL: (input) => {
if (new URL(input).origin === "https://js.basistheory.com") {
return input;
}
return undefined;
}
});
Common CSP Errors
The setup above is recommended to avoid errors similar to these:
Refused to load the script '<URL>' because it violates the following Content Security Policy directive: (...).```
Refused to frame 'https://elements.basistheory.com/' because it violates the following Content Security Policy directive: (...). Note that 'frame-src' was not explicitly set, so (...) is used as a fallback.
Failed to set the 'src' property on 'HTMLScriptElement': This document requires 'TrustedScriptURL' assignment.