You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
To have proper 3DS interaction in dropin, I need to remove frame-src so iframes from banks can be served.
I don't know why doesn't iframe from adyen have an embedded iframe of the bank's 3DS. Same as Stripe.
Removing CSP is unacceptable IMO and can lead to security issues. The solution to report CSP violations and then maintain the list of violating urls is not viable in any case.
Describe the solution you'd like
A dropin solution, where I wouldn't need to remove CSP to serve 3DS iframes.
Additional context
In production environment I tried to make a test payment with my revolut card. When prompted for 3DS, the component turned grey because browser blocked iframe from revolut.
The text was updated successfully, but these errors were encountered:
Thank you for your feedback. We have implemented proof of concepts in the past for this issue but they were benched due to accessibility issues and missing demand. Furthermore, we do offer a completely hosted solution via our3DS2 Redirect flow which would allow you to keep your CSP intact (once it allows adyen domains of course). That being said we are currently re-iterating on the current offering and this is one of the topics we discuss internally.
Is your feature request related to a problem? Please describe.
To have proper 3DS interaction in dropin, I need to remove
frame-src
so iframes from banks can be served.I don't know why doesn't iframe from adyen have an embedded iframe of the bank's 3DS. Same as Stripe.
Removing CSP is unacceptable IMO and can lead to security issues. The solution to report CSP violations and then maintain the list of violating urls is not viable in any case.
Describe the solution you'd like
A dropin solution, where I wouldn't need to remove CSP to serve 3DS iframes.
Additional context
In production environment I tried to make a test payment with my revolut card. When prompted for 3DS, the component turned grey because browser blocked iframe from revolut.
The text was updated successfully, but these errors were encountered: