Content Security Policy

If you have a CSP deployed in your website, you must include the following directives:

script-src - https://js.basistheory.com
frame-src - https://elements.basistheory.com

If you are using Trusted Types, you must allow dynamic script loading from the https://js.basistheory.com origin. This should be done BEFORE initialization.

CSP
<head>
  <meta http-equiv="Content-Security-Policy" 
    content="frame-src https://elements.basistheory.com; script-src https://js.basistheory.com" />
</head>

Trusted Types
trustedTypes.createPolicy("default", {
  createScriptURL: (input) => {
    if (new URL(input).origin === "https://js.basistheory.com") {
      return input;
    }
    return undefined;
  }
});

Common CSP Errors

The setup above is recommended to avoid errors similar to these:

Refused to load the script '<URL>' because it violates the following Content Security Policy directive: (...).

Refused to frame 'https://elements.basistheory.com/' because it violates the following Content Security Policy directive: (...). Note that 'frame-src' was not explicitly set, so (...) is used as a fallback.

Failed to set the 'src' property on 'HTMLScriptElement': This document requires 'TrustedScriptURL' assignment.

Content Security Policy

Common CSP Errors​

Common CSP Errors