diff --git a/docs/integrations/scripts.mdx b/docs/integrations/scripts.mdx index e3b977b88..f15c62c3a 100644 --- a/docs/integrations/scripts.mdx +++ b/docs/integrations/scripts.mdx @@ -103,9 +103,17 @@ Solutions that add dynamic script support using revisions to or additions of scr Release notes can work for all storefronts. Changes to the [OAuth scopes](/docs/start/authentication/api-accounts#oauth-scopes) of apps that use [app-level API accounts](/docs/start/authentication/api-accounts#app-level-api-accounts) require the store owner or other authorized user to accept the new scopes, which could provide a mechanism to trigger release note display. Store owners aren't prompted to reauthorize until they next open an app in the control panel, so direct contact may be advisable from a conversion perspective. You can't change the OAuth scopes for a [store-level API account](/docs/start/authentication/api-accounts#store-level-api-accounts), so directly contacting the store or stores that you want to change may be your only option for disclosure. -## Subresource integrity +## PCI compliance -[Subresource integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is a security feature browsers use to verify that attackers have not manipulated external hosted resources, including scripts. +To ensure the integrity of your scripts, BigCommerce implements the [Subresource Integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) feature for _external_ scripts and [Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) standards for _inline_ scripts. + +You can [opt into these security features]() in the control panel in storefront settings. + +After you opt in, your scripts must meet additional requirements to successfully execute in the browser. The following sections describe what you and BigCommerce need to provide to meet security requirements after you opt in. + +### Subresource integrity + +[Subresource integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is a security feature browsers use to verify that attackers have not manipulated _external_ hosted resources, including scripts. All scripts on the checkout page need at least one SRI hash to meet [PCI 4.0 - 6.4.3 requirements](https://pcipolicies.com/blogs/news/how-to-comply-with-the-new-pci-dss-requirement-6-4-3). @@ -124,6 +132,16 @@ You can add up to five SRI hashes and remove hashes when they are no longer vali If there is a change to the host script, you must update or add a valid hash. If no hashes match the contents of the script, the browser console will show an error that the script failed to execute. +### Content security policy + +[Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is a standard that can use [`nonce` global attributes](https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/nonce) to allowlist _non-static inline_ scripts. + +Since the inline scripts you inject may contain dynamic handlebar template variables, BigCommerce uses `nonce` values instead of `integrity` hashes to validate inline scripts. Browsers first check for `integrity` hashes before checking `nonce` values. + +If you add a script through Script Manager or the Scripts API, BigCommerce automatically generates and injects a unique `nonce` value for the script on every page load. We then pass it to browsers through the HTTP `Content-Security-Policy` response header. + +If you have custom scripts in the Stencil theme files (i.e. outside of Script Manager or the Scripts API), you need to add a `nonce` handlebar to the script. + ## Troubleshooting Your app installation may find itself unexpectedly missing one or more scripts. Below are some possible causes of this issue.