Paypal JS SDK not loading for some users #461
Comments
|
Also facing this issue. |
|
This issue has been automatically marked as stale. If this issue is still affecting you, please leave any comment (for example, "bump"), and we'll keep it open. We are sorry that we haven't been able to prioritize it yet. If you have any new additional information, please include it with your comment! |
|
We've identified the root cause of this issue as likely being Safari security settings. Specifically it seems like disabling "Hide IP from trackers" on both mobile and desktop Safari causes the button to load successfully in sessions where it previously did not load. Some devs have said that it appears to be a CORS issue. I think it is a security issue where Safari sees the paypal sdk as a tracker script (maybe because it is loading so frequently), and thus hides the user's IP address, which leads to a failure in the script loading, I assume due to some backend requirement at PayPal to have the IP when loading the script. I think the way to solve this (other than that security setting being turned off) is likely to reduce the number of paypal script loads down to an absolute minimum, so that Safari does not think it's a tracker script. This is just an educated guess on my part though. It may or may not be relevant that we are also loading only buttons and messages like OP. |
|
We've been experiencing this issue intermittently. We use Gravity Forms with their PayPal add-on. It is frustrating as this issue prevents the form from loading and the page from completely loading, thus breaking our forms and losing business. Any insights on how to fix this or is just abandoning PayPal the best option? |
|
It looks like #561 Could also be related to this. |
|
bump |
4 similar comments
|
bump |
|
bump |
|
bump |
|
bump |
|
I have studied the issue and I believe this is a CORS issue. The problem is partly in paypal-js code and parlty in the server code that distributes the SDK (https://www.paypal.com/sdk/js). General information about CORS related to this can be found here:
This can also be (potentially) a security issue because right now, any website can instruct the user browser to load the Paypal SDK. As long as the user is using a browser that does not comply with CORS rules (or the user herself does not turn ON CORS checking), she could be potentially vulnerable. This bug was first reported in February, 2024 and the number of people who have turned ON CORS has increased since then. The longer this bug remains, the more people will turn ON CORS in their browsers, and the more people will not be able to use Paypal. What makes this issue so invisible, aside from the small number of users affected so far, is that Safari has so many settings that I have not figured out myself which one turns ON the checking of CORS. At this time I have reproduced the issue; I can only repro it using a user's iPhone. The same user iPhone repros the issue using Chrome, so I am guessing that CORS is now an iOS setting. The fact that it works at all in most browsers is THE problem, I believe. |
|
I tried to fix it by copying the Paypal client code from node_modules, and then modifying it such that it loads the SDK from our server instead of from the Paypal server. It was easy enough to download the SDK using curl (it can be downloaded even without specifying your client_id). I then placed that SDK in our server. |
|
@ctapang It does sound good that a workaround exists. But Paypal docs explicitly say: "Don't include it in a bundle or host it yourself". This issue already persists for about a year, I wish someone would tackle it already. |
|
Yes, I got the SDK code to download from our server, but when I finally made it to just display the PayPal buttons, none of the buttons work. It seems that the PayPal server is refusing to communicate with the same SDK but downloaded from our server. |
|
Paypal needs to fix this. The devices and browsers that "fail" (about 1% according to some who have reported this issue) are actually not failing. The big problem for Paypal is that this is a security hole in 99% of the cases that seem to work. They have to fix it soon. The fact that I can't make the SDK work when downloaded from our server is not a hindrance to a hacker. Once the hacker understands how the SDK works, it should be very easy to exploit this vulnerability. |
|
I also appear to be having this issue. Unfortunately, the PayPal SDK was loaded in the head of my document and was preventing entire pages from loading. In the network tab, the paypal script just sits with a spinner next to it. |
|
we also see this issue |
|
We also see this issue and can confirm that disabling the "Hide IP address" setting in safari settings fixes it. This means a huge load of our users can't access PayPal. |
|
We have same issue with fetching when "Hide IP address" is enabled. Interestingly it only affects iOS. Same setting doesn't cause any problems on MacOS Safari |
|
We are able to reproduce this on some Safari browsers on macOS too. Even more infuriating is that we have two browsers with the exact same Safari and macOS build numbers – on one of them the setting works fine on one the setting disables the PayPal button completely and we get an error when loading the script. 
|
|
We are seeing die issue in all our Shopware 5 installations where Paypal is integrated via the Plugin provided by Shopware. All iPhones with iOS 18.1.1 seem to be affected when the "Hide IP address" option is enabled. The first problem reports arrived yesterday. I can also reproduce the problem on my iPad. Chrome for iOS doesn't seem to be affected |
|
Seems like it's working again. We haven't changed anything |
|
Same issue here for a webflow hosted website with PayPal enabled. The below are screenshots replicating the issue in the iOS 18 Xcode simulator (also real users complained). Interestingly same issue happening with the stripe-js occasionally not loading for 60-100 seconds.
|
|
Not sure if this could be helpful to others: I was seeing the same issue of: I took the url in the console log and putting it on a browser and I could see the actual error message: It seems for some reason the client id has become invalid. |
and others
Library used
direct script integration, as follows: https://www.paypal.com/sdk/js?client-id=[OUR-CLIENT-ID]&components=messages,buttons
🐞 Describe the Bug
We set up sentry to report when an external <script> tag failed to load (triggers an onerror event).
For 1% of our users, the SDK script tag is unable to load. It works for 99% of the users since we still get payments, but cannot reproduce locally.
Watching some affected user sessions show the user being frustrated as he cannot find the Paypal Smart Buttons on the page.
Moreover, window.paypal is not available right under the asynchronous script tag for these users.
All browsers are affected, desktop and mobile, Chrome/Safari/Edge
We use the Paypal JS SDK on 3 separate websites, and the issue happens on the 3 sites.
🔬 Minimal Reproduction
Cannot reproduce
😕 Actual Behavior
The direct Paypal SDK JS script tag triggers an "onerror" event, and window.paypal isn't available which triggers subsequent errors upon usage.
🤔 Expected Behavior
Expected Paypal JS SDK to be downloadable by all users' browsers.
The text was updated successfully, but these errors were encountered: