topic Hosted accept not working now server enforces X-Frame-Options: SAMEORIGIN in cybersource APIs https://community.developer.cybersource.com/t5/cybersource-APIs/Hosted-accept-not-working-now-server-enforces-X-Frame-Options/m-p/87453#M1156 <P>Hi,</P><P>We use the hosted accept to accept a payment, as per&nbsp;<A href="https://developer.authorize.net/api/reference/features/accept-hosted.html" target="_blank" rel="noopener">https://developer.authorize.net/api/reference/features/accept-hosted.html</A>&nbsp;and&nbsp;<A href="https://github.com/AuthorizeNet/accept-sample-app" target="_blank" rel="noopener">https://github.com/AuthorizeNet/accept-sample-app</A>&nbsp;</P><P>This used to work absolutely fine. However, we have now configured the webserver to enforce these headers:</P><UL class=""><LI><P>HSTS</P></LI><LI><P>X-Content-Type-Options set with a static value of nosniff on all routes.</P></LI><LI><P>X-Frame-Options: SAMEORIGIN to cover the CSP for frame-busting.</P></LI><LI><P>X-XSS-Protection "1; mode=block"</P></LI></UL><P>The hosted accept handshake is failing with the browser displaying:</P><P>chromewebdata/:1 Refused to display '<A href="https://nyu-langone-ce.staging.cm-hosting.com/" target="_blank" rel="noopener">https://nyu-langone-ce.staging.cm-hosting.com/</A>' in a frame because it set 'X-Frame-Options' to 'sameorigin'.</P><P>Is there any solution to this?</P><P>Many thanks</P><P>Nick</P><P>&nbsp;</P> Fri, 01 Sep 2023 10:16:50 GMT inkeyes 2023-09-01T10:16:50Z Hosted accept not working now server enforces X-Frame-Options: SAMEORIGIN https://community.developer.cybersource.com/t5/cybersource-APIs/Hosted-accept-not-working-now-server-enforces-X-Frame-Options/m-p/87453#M1156 <P>Hi,</P><P>We use the hosted accept to accept a payment, as per&nbsp;<A href="https://developer.authorize.net/api/reference/features/accept-hosted.html" target="_blank" rel="noopener">https://developer.authorize.net/api/reference/features/accept-hosted.html</A>&nbsp;and&nbsp;<A href="https://github.com/AuthorizeNet/accept-sample-app" target="_blank" rel="noopener">https://github.com/AuthorizeNet/accept-sample-app</A>&nbsp;</P><P>This used to work absolutely fine. However, we have now configured the webserver to enforce these headers:</P><UL class=""><LI><P>HSTS</P></LI><LI><P>X-Content-Type-Options set with a static value of nosniff on all routes.</P></LI><LI><P>X-Frame-Options: SAMEORIGIN to cover the CSP for frame-busting.</P></LI><LI><P>X-XSS-Protection "1; mode=block"</P></LI></UL><P>The hosted accept handshake is failing with the browser displaying:</P><P>chromewebdata/:1 Refused to display '<A href="https://nyu-langone-ce.staging.cm-hosting.com/" target="_blank" rel="noopener">https://nyu-langone-ce.staging.cm-hosting.com/</A>' in a frame because it set 'X-Frame-Options' to 'sameorigin'.</P><P>Is there any solution to this?</P><P>Many thanks</P><P>Nick</P><P>&nbsp;</P> Fri, 01 Sep 2023 10:16:50 GMT https://community.developer.cybersource.com/t5/cybersource-APIs/Hosted-accept-not-working-now-server-enforces-X-Frame-Options/m-p/87453#M1156 inkeyes 2023-09-01T10:16:50Z