1

We have a cordova app that uses Stripe PaymentIntent with 3D Secure.

When trying to validate a payment, an iframe should open for the 3DSecure. Cordova apps need allowance with the whitelist plugin. We have the following whitelist:

<allow-navigation href="https://stripe.com/*" />
<allow-navigation href="https://js.stripe.com/*" />
<allow-navigation href="https://hooks.stripe.com/*" />
<allow-navigation href="https://connect.stripe.com/*" />

As presribed by different anwsers:

This is enough for testing with test card numbers, but once in production, we started to have problems with user complaining about white screen happening on payment validation. A look at the logs gives us this error:

ERROR Internal navigation rejected - allow-navigation not set for url=‘https://verifiedbyvisa.acs.touchtechpayments.com/v1/payerAuthentication

So now we are wondering is this the only url we should allow? A search leads us to this article : Touchtech joins Stripe, so maybe we should allow every url from Touchtech?

Is there any documentation on what urls Stripe will try to load as an iframe for 3DSecure so every case is covered?

Cyril Gandon
  • 16,830
  • 14
  • 78
  • 122
  • 1
    The URL inside the frame is going to just be from the issuer of the customer's card, or the ACS their bank uses for implementing 3D Secure(looks like it was Touchtech for that example, but it won't always be), so there's no possible exhaustive list here and it will change all the time, it's entirely controlled by the issuer. I'm not really sure what you can do here beyond whitelisting `*` if that's possible. Maybe https://support.stripe.com/email would know more. – karllekko May 22 '20 at 15:17
  • 1
    From Stripe Dev team: `There isn't really an option outside of because the 3DS redirect target is controlled entirely by the card issuer (your customer's bank). It is not possible for us to provide an enumerated list of these domains. While I recognize this may not be your preferred configuration, any attempt to list domains would risk blocking some of your customers.`. @karllekko you can transform your comment into an answer and I will accept it. – Cyril Gandon May 26 '20 at 06:21

0 Answers0