If your website uses a Content Security Policy (CSP), you'll need to make changes to continue using our v3 JavaScript Payments library (st.js).
To ensure continued operation of the JavaScript Library, you must follow the instructions below to update the necessary values in your CSP directives before 15th May 2026.
Technical Implementation
We have updated the Content Security Policy (CSP) requirements to include the new https://*.cardinaltrusted.com domain. You must add this domain to your CSP directives to ensure continued functionality.
Required changes to your CSP
Add the following domain to these CSP directives:
- script-src: https://*.cardinaltrusted.com
- connect-src: https://*.cardinaltrusted.com
Full CSP definition
The complete CSP definition with the new https://*.cardinaltrusted.com domain (shown in bold) is:
- default-src 'none'
- script-src 'self' https://*.trustpayments.com https://*.securetrading.net https://pay.google.com https://*.secure.checkout.visa.com https://*.cardinalcommerce.com https://*.mastercard.com https://*.cardinaltrusted.com
- connect-src 'self' https://*.sentry.io https://*.cardinalcommerce.com https://google.com/pay https://*.cardinaltrusted.com
- img-src 'self' data: https://*.gstatic.com https://*.vims.visa.com https://*.secure.checkout.visa.com https://*.mastercard.com
- font-src 'self' https://*.gstatic.com
- frame-src *
- style-src 'self' 'unsafe-inline' https://fonts.googleapis.com
- form-action *
- base-uri 'self'
Timeline and Deadlines
When do these changes take effect?
15th May 2026
Is there a grace period?
No. Please ensure that all required domains are whitelisted before the deadline.
Can I implement these changes today?
Yes. We encourage you to update your CSP as soon as possible.
Will existing transactions fail immediately if I don't update?
Yes, transactions will fail immediately after the deadline if your CSP has not been updated.
What happens if I don't update my CSP by the deadline?
Failure to update your CSP will result in 3-D Secure authentication failures, which may prevent payments from completing.
Testing and Troubleshooting
Should I perform tests following these changes?
We recommend processing transactions to your test site reference using the test card credentials provided in our Testing Centre.
What error messages should I look for in the browser console?
Look for Content Security Policy violations for https://*.cardinaltrusted.com
Are there different requirements for test and production environments?
No, the domains to add are the same in both test and production environments.
Compatibility and Impact
Will this affect mobile app integrations or just web?
This will affect any web-based solution that enforces a CSP policy.
Does this affect 3-D Secure flows?
Yes. Failure to include https://*.cardinaltrusted.com in the directives highlighted can result in 3-D Secure errors.
