If your website uses a Content Security Policy (CSP) header, you will need to add the following directives to allow the PayQuick.ly and AskQuick.ly widgets to function correctly. Merge these entries with any existing CSP configuration — do not replace the entire header.
In This Article
Complete CSP — Copy-Paste Ready
Add all directives below to the existing Content-Security-Policy header on your website.
Content-Security-Policy: # 1. Scripts allowed to load script-src 'self' https://js.stripe.com https://www.paypal.com https://payquickly.clickandpledge.com; # 2. Stylesheets allowed to load style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://aws.assets.clickandpledge.com; # 3. Fonts allowed to load font-src 'self' https://fonts.gstatic.com data:; # 4. Iframes (Stripe card elements, Apple/Google Pay, PayPal) frame-src https://js.stripe.com https://hooks.stripe.com https://www.paypal.com; # 5. All fetch() / XHR calls the widget makes connect-src 'self' https://api.stripe.com https://js.stripe.com https://api.cloud.clickandpledge.com https://connect.clickandpledge.com https://*.lambda-url.us-east-1.on.aws https://*.execute-api.us-east-1.amazonaws.com https://www.paypal.com; # 6. Images (Stripe card brand logos) img-src 'self' https://*.stripe.com;
What Each Entry Does
| Directive | Domain | Why it is needed |
|---|---|---|
| script-src | https://js.stripe.com | Stripe.js SDK — loaded dynamically at the payment step |
| script-src | https://www.paypal.com | PayPal SDK — loaded when PayPal is selected as payment method |
| script-src | https://payquickly.clickandpledge.com | The widget script (app.js) itself |
| style-src | https://aws.assets.clickandpledge.com | RemixIcons CSS — icon class definitions (.ri-*) injected into the host page |
| style-src | https://fonts.googleapis.com | Google Fonts (Manrope) stylesheet — widget typography |
| font-src | https://fonts.gstatic.com | Google Fonts actual font files (.woff2) |
| font-src | data: | RemixIcons .woff2 — bundled inside app.js as a base64 data URI |
| frame-src | https://js.stripe.com | Stripe card element iframes and Apple Pay / Google Pay detection frames |
| frame-src | https://hooks.stripe.com | Stripe 3D Secure and post-payment confirmation iframes |
| frame-src | https://www.paypal.com | PayPal payment popup / hosted fields |
| connect-src | https://api.stripe.com | Stripe API calls (tokenisation, payment confirmation) |
| connect-src | https://api.cloud.clickandpledge.com | Widget config API — loads form settings, amounts, theme |
| connect-src | https://connect.clickandpledge.com | Click & Pledge connect base for form data |
| connect-src | https://*.lambda-url.us-east-1.on.aws | All Lambda functions — Stripe intent, PayPal intent, XML gateway, bank account |
| connect-src | https://*.execute-api.us-east-1.amazonaws.com | API Gateway — chatbot, translation, countries/states lookup |
| connect-src | https://www.paypal.com | PayPal SDK API calls during checkout |
| img-src | https://*.stripe.com | Card brand logos (Visa, Mastercard, etc.) from Stripe CDN |
Quick Reference — Directives at a Glance
| Directive | Domains to add | Blocks if missing |
|---|---|---|
| script-src | https://js.stripe.com https://www.paypal.com https://payquickly.clickandpledge.com |
Widget, Stripe.js, and PayPal SDK fail to load — widget does not appear |
| style-src | https://aws.assets.clickandpledge.com https://fonts.googleapis.com |
Icons missing (blank boxes), font falls back to system default |
| font-src | https://fonts.gstatic.com data: |
Manrope missing; RemixIcons missing if data: URIs are blocked |
| frame-src | https://js.stripe.com https://hooks.stripe.com https://www.paypal.com |
Stripe card input blank, Apple/Google Pay unavailable, 3D Secure fails |
| connect-src | https://api.stripe.com https://api.cloud.clickandpledge.com https://connect.clickandpledge.com https://*.lambda-url.us-east-1.on.aws https://*.execute-api.us-east-1.amazonaws.com https://www.paypal.com |
Payments silently fail — fetch() calls blocked, no visible error to user |
| img-src | https://*.stripe.com | Card brand logos do not display |
Important: connect-src blocks are silent — the widget may appear to load correctly but payments will fail at the point of submission with no visible error to the user. Always verify connect-src is configured even if the widget renders.