I am implementing HostedPayment using an embedded frame. while integrating i have noticed that generated token is available on the parent page which can be easily manupulated with different token. As the form and iframe are on the same page so anyone can manipulate the HTML through the inspect the element and inject another token instead of a real one with a different merchant id and all the payment will move to that merchant account. below is the form which your document says to implement. could you please look into it?
<div id="iframe_holder" class="center-block" style="width:90%;max-width: 1000px">
<iframe id="load_payment" class="embed-responsive-item" name="load_payment" width="100%" height="650px" frameborder="0" scrolling="no" hidden="true">
</iframe>
<form id="send_hptoken" name="send_hptoken" action="https://test.authorize.net/payment/payment" method="post" target="load_payment">
<input type="text" name="token" value="<?php echo $hostedPaymentResponse->token ?>" />
</form>
</div>
