Best Practices

Content Security Policy (CSP) is a security measure that helps prevent a range of attacks on a website, including Cross Site Scripting (XSS), clickjacking, and other code injection attacks. CSP adds a special HTTP header to web pages that tells the browser to load only approved content sources for each type of resource, such as scripts, stylesheets, and images. By enforcing these restrictions, CSP limits the potential attack vectors for malicious actors.

To integrate PayPal's JavaScript SDK, you need to add PayPal's script sources to your CSP's approved list so the browser trusts the scripts to handle transactions. You reduce the risk of XSS and similar attacks by ensuring that only scripts from trusted PayPal sources can run.

Our CSP recommendation: use 'unsafe-inline'

Using a nonce with your CSP is safer than 'unsafe-inline'. A nonce is a random string added to a script or style tag and in the CSP header, permitting specific inline scripts or styles while blocking others. This method is more secure than 'unsafe-inline', which can create potential security risks.

Our CSP recommendation: use a nonce

Cross-Origin-Opener-Policy (COOP) is a security feature that helps prevent cross-origin attacks, such as cross-site scripting (XSS) and data leaks. It allows a web application to control how it interacts with other browsing contexts, like iframes and popups, from different origins.

By setting a COOP header, a website can ensure that its documents can only be opened by documents from the same origin. This can help isolate the web application from potentially malicious content loaded from different origins, enhancing security and user privacy.

If you are using the PayPal Web SDK on your webpage, we recommend that you set the header to Cross-Origin-Opener-Policy: same-origin-allow-popups.

For more details, you can refer to the Cross-Origin-Opener-Policy documentation