I couldn't quite find a definitive answer for this. I'd like to make my checkout process more intuitive, and I'd like to use the DPM method to avoid having my server touch cardholder data. In particular I want to make sure if a transaction is rejected that the user doesn't have to re-enter all their cardholder data.
The most straightforward way I'm aware of is to post the form to the DPM processor using an AJAX request instead of redirecting the browser. When the DPM api notified my site of the results it would be trivial to reply with either a redirect URL or an error message that would be sent back to the AJAX initiator. By handling it this way the user would never leave the page they were on and therefore the form would remain populated without me having to handle that secure data in any way.
I tried searching for information about DPM and AJAX to see if this was a common implementation, but didn't see any. Before I go rewriting my processing system, am I missing any obvious security flaws in my reasoning, or is there any other reason (technical or a.net policy) not to do this?
05-30-2012 12:45 PM - edited 05-30-2012 12:50 PM
After stepping away from my computer for a few I realized that the above would violate the same-origin policy and not work in most browsers
05-30-2012 03:45 PM
Didn't have time to try it out but I think It could work if you do the posting on javascript, read the response with it, probably set x_relay_response = FALSE and x_delim_data = TRUE, so it will be a mix of DPM and AIM.
Just make sure NOT to pass the TransactionKEY as in AIM(NEVER ever pass that anywhere), but pass the x_fp_hash like in DPM.
05-30-2012 04:40 PM
What about using JQuery to send an AJAX request with crossDomain: True. Also. $.Support.cors = true; ? Has anyone tried this with DPM? If so, what was your Data tag set to in the JQuery?
07-31-2013 09:59 AM - edited 07-31-2013 10:00 AM
Authorize.net will redirect as per the relay response page. So while you can't parse the results using an AJAX post, you can probably use an invisible iframe and do something like:
1) Copy to hidden form fields in the page in the iframe.
2) Submit it to Authorize.net
3) Authorize.net forwards to the appropriate error or receipt page
4) That page (which is now back on your site and therefore can probably communicate) calls a function on the parent page and passes success or an error message
5) If success, forward; if error, display the error and reactivate submit
Anyone see a way this wouldn't work?
08-02-2013 06:47 PM
$.ajax({
type: "POST",
crossDomain: true,
url: 'https://apitest.authorize.net/xml/v1/request.api',
dataType: "json",
data: createCustomerProfileRequest,
success: function (response) {
if (response.dataValue == "Error") {
toastr.warning(response.dataDescriptor);
} else {
toastr.success('Successfully sumitted payment!');
}
$("#ccButton").attr("disabled", false);
},
error: function (error) {
toastr.error('Could NOT submit payment!');
$("#ccButton").attr("disabled", false);
}
});
The above is my AJAX POST but it doesn't work. I still get the same error even though i've verified my JSON is correct and can send the same payload via Advanced Rest Client without failure.
04-22-2019 10:51 AM
that you could hide the request in an iframe to avoid those issues.
I'm ashamed to recommend IFrames as a solution to anything. Remember, they don't always play nicely with older mobile browsers.
04-29-2019 04:09 AM