Clicking "PayPal" button creates an empty pop up. PayPal modal sometimes doesn't work.

[john-parton]

General information

• SDK/Library version: 1.34.0
• Environment: Sandbox and production
• Browser and OS: Firefox on Ubuntu, Chrome on Windows

Issue description

Clicking "PayPal" button creates an empty pop up. PayPal modal sometimes doesn't work.

Here is a video:
Screencast from 2023-01-28 14-53-34.webm

Here's a possibly related error

[john-parton]

Here's the complete HTML source (just replace with a generated token). The problem is still present.

<html>
  <head>
    <script src="https://js.braintreegateway.com/web/dropin/1.33.7/js/dropin.min.js"></script>
    <script>
      var form = document.querySelector('#payment-form');
      var client_token = '{{ client_token }}';
      var cart_total = "9.99";

      braintree.dropin.create({
        authorization: client_token,
        selector: '#bt-dropin',
        paypal: {
          flow: 'checkout',
          amount: cart_total,
          currency: 'USD'
        }
      }, function (err, instance) {
        // button.addEventListener('click', function () {
        //   instance.requestPaymentMethod(function (err, payload) {
        //     // Submit payload.nonce to your server
        //   });
        // })
      });
    </script>
  </head>
  <body>
    <div id="bt-dropin"></div>
  </body>
</html>

I attempted to update our Paypal account following instructions here: braintree/braintree-web#642 (comment)

Did not resolve issue either

[john-parton]

This issue is still unresolved as of today.

[john-parton]

I was able to figure out the specific issue. If the header "Cross-Origin-Opener-Policy" is set to "same-origin", the PayPal integration does not work. Here is a resource explaining this header: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy

Nowhere in any documentation can I find any mention of this header, and multiple sources have suggested that "same-origin' should be the "safe" default. I believe it would be prudent for you to update your Content Security Policies section to include specific mention of the Cross-Origin-Opener-Policy header and what the allowable or correct values of this header are.

"same-origin" is the default with Django 4.0 and later with the security middleware installed

Therefore this will be an issue with anyone who meets the following conditions:

• Braintree with PayPal Integration
• Django 4.0 or later with the Security middleware installed (Probably the vast majority of Django deployments)
• The settings "SECURE_CROSS_ORIGIN_OPENER_POLICY" left as the default: https://docs.djangoproject.com/en/4.1/ref/settings/#std-setting-SECURE_CROSS_ORIGIN_OPENER_POLICY

Please let me know if I can provide any additional information. I do not think you should consider this issue resolved until your documentation is updated to reflect this header.

[john-parton]

Here is the specific commit in Django which adds this header and sets it to an incompatible default: django/django@db5b75f

[hollabaq86]

@john-parton apologies for the delay, and thanks for sharing your findings. Agreed that we need to update our docs- since Django is setting a default that is different than unsafe-none, the default in the Mozilla docs, I'm curious if any other frameworks are setting defaults other than unsafe-none, or if this is a trend in frameworks adopting more strict settings.

But regardless, we can update our reference docs with this info. I'll leave this issue open until that happens.

For internal tracking, issue 8727

[karolyi]

Very related: #939