-
-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG]“X-Frame-Options“ issue when using "Accept Hosted iframe -- PCI SAQ A -- most secure" payment form type #7
Comments
Hi @dangtrinhtran , thanks for bringing this up. We do have a KB article about this: https://support.paradoxlabs.com/support/solutions/articles/4000202094-authorize-net-cim-payment-gateway-failed-to-connect-or-no-message-received-from-communicator- But to more directly answer your concern: ContextThe way the Authorize.net hosted form works requires a 'communicator' page on your website to be embedded inside the hosted form, to pass messages to your checkout page. That's how we know what size to make the form, and when the customer hits 'place order'. This is in direct conflict with As you found, Magento tries to force this header in multiple ways:
We unset the PHP header for the communicator page only, using a plugin. However, if your server processes the Apache SolutionSince You can apply that change automatically with a composer patch such as:
Use vaimo/composer-patches if you don't already, save the above patch to your codebase, and apply it with composer.json configuration such as:
Other notesI would argue Magento is in the wrong for having this I deeply hope that Authorize.net improves how the Hosted form communicates status using modern web mechanisms, to avoid this problem like all other embedded payment gateways. But for now, it's what we have. We do need to improve communication around this issue, as it does come up a lot. There is a theoretical alternative approach, where we accept that the form won't always be able to communicate, and pass messages through your web server and Authorize.net webhooks (for success/failure) instead. But this would be very fraught, as there's potentially significant delay between when a customer clicks 'place order' and when the webhook comes through and then gets from the server to the customer browser to send them to the order success page. That's assuming the webhook goes through at all. If nothing else, it would be going from one round-trip to Authorize.net, to that round trip, plus an async notification, plus two more jumps (Authnet -> server, server -> client, by some means). In other words, slow, and lots of pieces involved. Another approach would be to change to a payment redirect, where the customer places their order, gets redirected to Authorize.net for payment, and then redirected back to your confirmation/success page. That would avoid the issue, but we don't consider that acceptable user experience. |
@rhoerr thanks for the details. |
Hi @rhoerr
Thank you for the release of version 5.1.2.
🐛 Bug report
Current Behavior
Magento 2.4.7-p2, PHP 8.3, paradoxlabs/authnetcim 5.1.2 and "Accept Hosted iframe -- PCI SAQ A -- most secure" payment form type.
Expected Behavior
The payment iframe should be loaded without errors.
Minimal reproduction of the problem with instructions
Step 1: Enable "Payment Form Type: Accept Hosted iframe -- PCI SAQ A -- most secure".
Step 2:
'x-frame-options' => 'SAMEORIGIN'
in app/etc/env.php orHeader set X-Frame-Options SAMEORIGIN
in .htaccess file.If we set "
Header unset X-Frame-Options
", the payment iframe is loaded but we do not think it is a good way to do this because it could expose the site to clickjacking attacks.Do you have any ideas about this?
What is the motivation / use case for changing the behavior?
Environment
The text was updated successfully, but these errors were encountered: