Serve 3DS iframes in a way, that the hosting website doesn't need to remove CSP for frame-src #2457
Labels
Enhancement
New feature or request
Comments
|
Hi @KlemenS189, Thank you for your feedback. We have implemented proof of concepts in the past for this issue but they were benched due to accessibility issues and missing demand. Furthermore, we do offer a completely hosted solution via our3DS2 Redirect flow which would allow you to keep your CSP intact (once it allows adyen domains of course). That being said we are currently re-iterating on the current offering and this is one of the topics we discuss internally. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
To have proper 3DS interaction in dropin, I need to remove
frame-srcso iframes from banks can be served.I don't know why doesn't iframe from adyen have an embedded iframe of the bank's 3DS. Same as Stripe.
Removing CSP is unacceptable IMO and can lead to security issues. The solution to report CSP violations and then maintain the list of violating urls is not viable in any case.
Describe the solution you'd like
A dropin solution, where I wouldn't need to remove CSP to serve 3DS iframes.
Additional context
In production environment I tried to make a test payment with my revolut card. When prompted for 3DS, the component turned grey because browser blocked iframe from revolut.
The text was updated successfully, but these errors were encountered: