2

I have a Page with standard iframe markup

Inside the frame is Linked to a Https URL The iframe does some processing (payment info and such)

Then returns back a POST data When the processing fails most of the time it does not reload the parent(Return url, plus POST data to that URL, loads inside Iframe), and when the processing payment returns successful, most of the time it completely reloads the parent page (Returns url, plus POST data to the Successful URL, Reloads parent to that URL)

As this is code from the secure payment, there isn't alot of things I can show.

Is there any javascript or Html attr that will make this without randomness

vico
  • 2,152
  • 2
  • 17
  • 38
  • Is there a specific reason why you chose to use iframes in the first place? Why not use ajax instead? – Jason Jul 07 '14 at 20:07
  • @Jason: because iframes could be much safer than ajax? – dandavis Jul 07 '14 at 20:08
  • It is a hostedpay page @Jason , it was how it came with before I develop it. – vico Jul 07 '14 at 20:09
  • @vico: the behavior or reloading (or not) depends on the HTML markup returned by the server. you can try to sandbox the iframe or use a CSP on the framing page. – dandavis Jul 07 '14 at 20:10
  • Just as an aside, if your parent page is not also HTTPS, that can lead to some mistrust by the users. – DA. Jul 07 '14 at 20:12
  • @DA thats been taken careof as the return Post data is delivered to a https, would the Parent Page hosting the iframe not being Https cause the random reload or not reload issue? – vico Jul 07 '14 at 20:13
  • This might help you http://stackoverflow.com/questions/752465/preventing-child-iframe-from-breaking-out-of-frame – L. Monty Jul 07 '14 at 20:28
  • @vico I was referring to customer perception rather than technicalogy. If the URL of the page is HTTP, they may be hesitant to submit payment data--even if the iFrame is HTTPS. – DA. Jul 07 '14 at 20:40
  • @DA Good point i will take note of that and switch the page over. – vico Jul 07 '14 at 20:43
  • @L.Monty Thanks I will try some of the suggested methods. – vico Jul 07 '14 at 20:43

2 Answers2

5

End up using sandbox mode for iframe and forced stop the redirection atleast for modern browsers.

sandbox="" without allow-top-navigation will force prevent the reload

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe

vico
  • 2,152
  • 2
  • 17
  • 38
0

If it only redirects on successful attempts and not every time, then it is most likely redirected from the server (e.g. using a redirect header, or a window.refresh) then you would have to fix your code there (if you have control over it).

If you don't have control over the server side code where the iframe is coming from, ask the owner of the API for help. If they refuse (which they will most likely do) to apply the changes you need, it will probably be due to security concerns (if the user's transaction is getting processed on another server, why is the page hosted in an iframe in your page? read about click jacking)

Either way, I would use fiddler, or any other tool you can think of to examin the contents of a successful response to verify whether the server side code is redirecting.

hnafar
  • 612
  • 8
  • 19