Skip to content

fix: break out of SaferPay iframe on payment status redirect#325

Merged
TLabutis merged 2 commits into
SL-346/accessibility-eaa-compliancefrom
BUGFIX/iframe-redirect-top-window
May 15, 2026
Merged

fix: break out of SaferPay iframe on payment status redirect#325
TLabutis merged 2 commits into
SL-346/accessibility-eaa-compliancefrom
BUGFIX/iframe-redirect-top-window

Conversation

@TLabutis

Copy link
Copy Markdown
Contributor

Summary

  • The polling script in views/templates/front/saferpay_wait.tpl navigated the iframe itself via window.location.href, leaving the parent window stuck on /module/saferpayofficial/iframe?... while the cart or order-confirmation page rendered nested inside the iframe.
  • Switched the redirect to (window.top || window).location.href so the top window navigates, matching the iframe-breakout pattern already used in views/js/front/saferpay_iframe.js.

Test plan

  • Cancel path (3DS auth without liability shift, paymentBehaviorWithout3D = Cancel): browser lands at top-level /gb/cart?action=show with the standard "We couldn't authorize your payment" notice (no nested chrome).
  • Success path (Capture behavior, same card): browser lands at top-level /gb/order-confirmation?id_cart=...&id_order=...&key=...; ps_saferpay_order shows authorized=1, captured=1; PS order state 21 (Payment completed by Saferpay).
  • Verified on PS 8.2.3 / PHP 8.1 against the SL-346 redesign branch.

The polling script in saferpay_wait.tpl navigated the iframe itself via
window.location.href, leaving the parent window stuck on the SaferPay
iframe controller URL while the cart or order-confirmation page rendered
nested inside the iframe.

Use window.top so the redirect targets the parent window and the user
lands at /cart or /order-confirmation with the proper top-level chrome.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the redirection logic in the Saferpay waiting template to use window.top for breaking out of iframes upon completion. The review feedback recommends using location.replace() instead of location.href to avoid history issues and suggests implementing a fallback mechanism to handle potential security policy restrictions on window.top access, which could otherwise lead to infinite polling loops.

Comment thread views/templates/front/saferpay_wait.tpl Outdated
var data = JSON.parse(request.responseText);
if (data.isFinished && data.href) {
window.location.href = data.href;
(window.top || window).location.href = data.href;

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Using location.replace() is recommended for redirects after a payment process to prevent the "waiting" page from being stored in the browser history. This ensures that if a user clicks the "Back" button from the order confirmation page, they aren't returned to the polling script.

Additionally, the current implementation might cause an infinite polling loop if the browser blocks access to window.top (e.g., due to security policies or iframe sandbox attributes). Since the redirect is inside a try-catch block that triggers a retry on failure, a blocked breakout will result in repeated failed attempts. Adding a fallback to window.location ensures the redirect still occurs within the iframe if the breakout fails.

                        try {
                            (window.top || window).location.replace(data.href);
                        } catch (e) {
                            window.location.replace(data.href);
                        }

Address review feedback on PR #325:
- Use location.replace() so the polling page is not stored in history
  (Back from order-confirmation should not return to the spinner).
- Wrap window.top access in try/catch with an in-iframe fallback in
  case sandboxing or browser policy blocks the breakout.
@TLabutis TLabutis merged commit e0570d9 into SL-346/accessibility-eaa-compliance May 15, 2026
1 of 3 checks passed
@TLabutis TLabutis deleted the BUGFIX/iframe-redirect-top-window branch May 15, 2026 10:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant