Sagepay ACS Providers being blocked by CSP

Question

We have an integration with sagepay where we load sagepay url within an iframe in our web-application. We do have *.sagepay.com defined in the frame-src directive of our CSP policy for the iframe.

However, recently our customers started reporting this error where the request was being blocked by the browser (Chrome) due to error: The page's setting blocked the loading of resource at https://***.touchtechpayments.com. This specifically happens on 3D secure validation. On contacting sagepay we were told that touchtechpayments is one of the ACS providers for Mastercard and needs to be allowed for Secure3D. However, they do not have a full list of all ACS providers.

I did add the above provider to our CSP allow list, however, we started getting reports of other providers(*.arcot.com) being blocked due to CSP .

Now, I am not sure what is the best way to handle this, and sagepay support is kind of clueless too. On searching Mastercard/Visa, we found a list of CSP providers but don't think its practical to add those all to the CSP list and maintain that list.

How do other people deal with this issue? I am sure other people must've faced similar issues with Sagepay integration?

Answer 1

We had the same problem. We had to add sandbox='allow-scripts allow-top-navigation allow-forms' into the iframe nodes.

Answer 2

We've had the same problem, we've ended up setting the: frame-src * CSP for the page that loads the SagePay/Opayo iFrame, otherwise the external providers would get blocked based on our strict default-src policy. I am not sure if there is anything else you can do. You either list them individually or loosen up the rule. Setting up: frame-src * shall be OK security-wise, given you trust SagePay. Since you're using them for payments, you certainly do to some degree.