Content Security Policy

If you have a CSP deployed in your website, you must include the following directives:

script-src - https://js.basistheory.com
frame-src - https://elements.basistheory.com

CSP
<head>
  <meta http-equiv="Content-Security-Policy"
    content="frame-src https://elements.basistheory.com; script-src https://js.basistheory.com" />
</head>

It is strongly recommended to implement a CSP in your website to help mitigate attacks such as Cross Site Scripting (XSS).

Trusted Types

If you are using Trusted Types, you must allow dynamic script loading from the https://js.basistheory.com origin. This should be done BEFORE initialization.

Trusted Types
trustedTypes.createPolicy("default", {
  createScriptURL: (input) => {
    if (new URL(input).origin === "https://js.basistheory.com") {
      return input;
    }
    return undefined;
  }
});

Common CSP Errors

The setup above is recommended to avoid errors similar to these:

Refused to load the script '<URL>' because it violates the following Content Security Policy directive: (...).```

Refused to frame 'https://elements.basistheory.com/' because it violates the following Content Security Policy directive: (...). Note that 'frame-src' was not explicitly set, so (...) is used as a fallback.

Failed to set the 'src' property on 'HTMLScriptElement': This document requires 'TrustedScriptURL' assignment.

Content Security Policy

Trusted Types​

Common CSP Errors​

Trusted Types

Common CSP Errors