← Back to Baseline

MB-R088

Payment page script allowlist and integrity controls

C12 Third‑party Config Security High

Payment-page scripts should be constrained by allowlists and integrity controls such as SRI, hashes, signed deployment manifests, CSP nonces, or approved monitoring. Without integrity controls, compromised third-party JavaScript or injected snippets can skim card data in the browser. Validate that only approved script origins and expected script assets can execute on checkout.

Why it Matters

A script inventory says what should load; an allowlist and integrity controls help enforce it. Without enforcement, compromised tag managers, injected templates, or extension changes can add scripts that skim payment pages.

Strong controls around allowed hosts, CSP nonces/hashes, and deployment review make checkout script behavior harder to tamper with silently.

Verification Steps

CSP and source review

# Inspect checkout response headers for script-src allowlist
curl -I https://mystore.com/checkout | grep -i content-security-policy

Runtime comparison

# Compare loaded script hosts in browser DevTools against the approved allowlist

Remediation / Fix Guidance

  1. Define allowed script hosts for checkout and payment pages.
  2. Use CSP nonces, hashes, or strict allowlists where Magento and extensions allow it.
  3. Restrict tag manager permissions and review tag changes.
  4. Remove wildcard script sources such as * or broad CDN allowances.
  5. Alert when checkout loads a script outside the approved list.

Examples

Fail Example
script-src * 'unsafe-inline' 'unsafe-eval';
# Broad script execution allowed → FAIL
Pass Example
script-src 'self' https://js.payment-provider.example 'nonce-...';
# Limited approved sources → PASS

References