We use the hosted accept to accept a payment, as per https://developer.authorize.net/api/reference/features/accept-hosted.html and https://github.com/AuthorizeNet/accept-sample-app
This used to work absolutely fine. However, we have now configured the webserver to enforce these headers:
X-Content-Type-Options set with a static value of nosniff on all routes.
X-Frame-Options: SAMEORIGIN to cover the CSP for frame-busting.
X-XSS-Protection "1; mode=block"
The hosted accept handshake is failing with the browser displaying:
chromewebdata/:1 Refused to display 'https://nyu-langone-ce.staging.cm-hosting.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
Is there any solution to this?