Funny how googling errors works. Trying to test Stripe.js locally (using ngrok to get https links)… In Firefox, I kept getting a CSP error:
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src”).
Okay, I have a general understanding of CSP, but it was working in production, why not here?
One of the top search hits was a thread on the Redux DevTools repo. “Looks like this is a long standing bug with Firefox being too strict with CSP and applying the rules as well on scripts injected by extensions & bookmarklets.
My script isn’t coming from an extension or bookmarklelt, but sure enough, when I switched over to Chrome and Safari, it works. Another wasted 2 hours, thanks to browser weirdness.