cardinaltrusted.com script-src and connect-src CSP

[cjhewett]

https://braintree.github.io/braintree-web-drop-in/docs/current/

Lists the following CSP rules:

If using 3D Secure, include these additional directives:
script-src | songbirdstag.cardinalcommerce.com | songbird.cardinalcommerce.com
connect-src | *.cardinalcommerce.com | *.cardinalcommerce.com

However (on sandbox), I am now getting the error:

Refused to load the script 'https://cas.static.client.cardinaltrusted.com/songbird/v2.0.0/songbird.js' because it violates the following Content Security Policy directive

Is cardinaltrusted.com now needed in the CSP?
Are there any other new rules needed?
How can the CSP rules change and this not be considered a major breaking change for DropIn?

[cjhewett]

As Braintree seems to have abandoned Github issues... I will post this email they have sent out for them:

---

We are upgrading our Cardinal integration to eligible merchants starting at the end of January 2026. As part of this release, the URL is on a different domain than the ones currently in our Content Security Policy (CSP) guidance. You may need to modify your CSP to support the new domain. This update has already been made in Sandbox.

What You Need to Know

• Only SDK versions greater than or equal to 3.121.0 are eligible for the upgrade. Older versions will continue to use the older Cardinal integration.
• If you are using a CSP, you will need to add the new cardinaltrusted domain to your policy and keep your existing cardinalcommerce entries in place.
  • Production script-src: add static.client.cardinaltrusted.com
  • Production connect-src: add *.cardinaltrusted.com

We recommend keeping the existing cardinalcommerce URLs in your policy as well. Merchants who are not using Content Security Policy do not need to make this change. If you do need to make this change, please do so by January 31, 2026.

Please reach out to your Account Manager or Customer Service for additional information.

Thanks,
The PayPal Braintree Team

---

Less than 2 months notice for a major breaking change... with the Christmas break... which they must have known about at least as far back as October... with still no corresponding updates to the documentation... 😒