0

During a payment process, I have a remote 3DSecure form in an iframe on my site. After the user enters their 3D Secure PIN, the remote bank will POST the user back to a supplied URL (the "termURL") with the results. That, of course, stays in the iframe.

What I would like to do, on receiving the POST from the bank, is to check if I am in the iframe, and if so, break out of it.

Checking window.self !== window.top will tell me if I am in the iframe. Looking for expected POST values will tell me if I have returned from the bank (or am POSTing back to myself, with the bank's 3DSecure result). So what next?

I'm guessing the page in the iframe needs to re-POST itself with with a target of _top. Do I need to do that using a self-POSTing form, or can it be done just using JavaScript?

I have no control over the content of the iframe when it displays the 3DSecure form, so I cannot get that remote site to target _top in the user's browser when returning the user to my site.

Jason
  • 2,506
  • 4
  • 31
  • 43
  • Just to note, in case security aspects affect this: the page I want to break out of the iframe will be on the same domain as the _top page. It is only the lead-up to this, when the user is entering their security PIN, that the iframe receives remote URLs, and those remote pages (which I cannot control) will stay in the iframe. – Jason Mar 10 '16 at 15:14
  • Maybe this is telling me the answer: http://stackoverflow.com/questions/133925/javascript-post-request-like-a-form-submit The JavaScript solution builds up a POST form dynamically then submits it. In my case it would be just as easy to build the form on the server then serve that with some JavaScript to submit it. But from this I understand only a HTML form can be used to POST from an `iframe` to the `_top` window. Would my understanding be correct? – Jason Mar 10 '16 at 15:25
  • Silly me - the server does not know it's serving to an `iframe` until the page gets to the browser. Maybe I just need to save the POST data in the session or process it immediately, then jump out of the `iframe` using JavaScript without worrying about the POST data, without even checking whether I am actually in an `iframe` or not. – Jason Mar 10 '16 at 15:34

1 Answers1

0

You can always break from the iframe via the way you have suggested by checking window.self != window.top using javascript or like this:

<script>
  window.onload = function() {
    if (window.parent.document.getElementById('your-iframe-id')) {
      window.top.location.href = "https://the-url-to-continue";
    }
  }
</script>

Of course this is another GET to the the-url-to-continue and you need something to identify that the client has finished everything regarding 3D Secure. That something could be Session, or a cookie... I recommend the session...

sfitsos
  • 11
  • 2