We are having the same issue as in this post: https://community.developer.authorize.net/t5/Integration-and-Testing/AUthorize-net-hosted-payment-pa...
From reading that post, we have tried applying the content-security-policy via web.config file (asp.net/IIS) is not working. We are passing a paymentProfileId in the token.
Example of web.config:
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="frame-ancestors 'self' https://localhost:44300 *.ourdomain.com *.authorize.net" />
</customHeaders>
</httpProtocol>
We have even tried with the Content-Security-Policy-Report-Only but still no luck, it acts the same.
What can we do when the content-security-policy is not working?
โ02-15-2021 01:43 PM
Hello,
Try the following in your Web.config
<system.webServer> <httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="frame-ancestors 'self' *.YOUR_WEBSITE.com *.authorize.net;" />
</customHeaders>
</httpProtocol> </system.webServer>
โ02-16-2021 03:42 AM
I'm pretty sure we've tried that but let me give it another go and post back, thank you for the suggestion!
โ02-23-2021 08:42 AM
No dice, still does not work. I find it odd that it doesn't work with the report-only option. Does anyone know of a setting within IIS that would be overriding the web.config?
โ03-26-2021 01:12 PM
Sometimes this error is the result of a target window that has not finished loading.
The basic syntax to check that the target frame has loaded would be :
const iframe = document.getElementById("pay_frame"); iframe.addEventListener("load", function() { // Continue to display the content ... });
For IIS, to disable inheritance in child applications, wrap the configuration block in a:
<location path="." inheritInChildApplications="false">
<system.webServer> <httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="frame-ancestors 'self' *.YOUR_WEBSITE.com *.authorize.net;" />
</customHeaders>
</httpProtocol> </system.webServer>
</location>
โ03-26-2021 02:25 PM - edited โ03-26-2021 02:30 PM