Update Google Pay CSP Directives (#914)

* Update Google Pay CSP Directives * Update Changelog * Add GooglePay CSP directive note
braintree · Nov 28, 2023 · 01a6792 · 01a6792
1 parent 69e9798
commit 01a6792
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@
     - Add `aria-hidden` attribute to generic card icon
     - Add `aria-required` attribute to Hosted Fields
   - Update browser-detection to v1.17.1
+  - Update Google Pay CSP Directives
   - Updated Apple Pay logo to scale correctly
 
 ## 1.40.2

diff --git a/jsdoc/Home.md b/jsdoc/Home.md
@@ -164,9 +164,12 @@ If using [Google Pay](module-braintree-web-drop-in.html#~googlePayCreateOptions)
 |-------------|-----------------|-----------------|
 | script-src  | pay.google.com  | pay.google.com  |
 | style-src   | 'unsafe-inline' | 'unsafe-inline' |
+| connect-src | pay.google.com<br/>https://google.com/pay<br/>https://pay.google.com<br/>https://pay.google.com/about/redirect/ | pay.google.com<br/>https://google.com/pay<br/>https://pay.google.com<br/>https://pay.google.com/about/redirect/ |
 
 The `style-src` directive is required so that the styles for the Google Pay button can be generated by the Google Pay SDK. You may omit this directive, so long as you include style rules for the Google Pay button to satisfy [Google's brand guidelines](https://developers.google.com/pay/api/web/guides/brand-guidelines#payment-buttons).
 
+If Google adds redirects or changes URLs related to the Google Pay component, the domains or URLs in these directives may change.
+
 ### 3D Secure Specific Directives
 
 If using [3D Secure](module-braintree-web-drop-in.html#~threeDSecureOptions), include these additional directives: