fix: break out of SaferPay iframe on payment status redirect#325
Conversation
The polling script in saferpay_wait.tpl navigated the iframe itself via window.location.href, leaving the parent window stuck on the SaferPay iframe controller URL while the cart or order-confirmation page rendered nested inside the iframe. Use window.top so the redirect targets the parent window and the user lands at /cart or /order-confirmation with the proper top-level chrome.
There was a problem hiding this comment.
Code Review
This pull request updates the redirection logic in the Saferpay waiting template to use window.top for breaking out of iframes upon completion. The review feedback recommends using location.replace() instead of location.href to avoid history issues and suggests implementing a fallback mechanism to handle potential security policy restrictions on window.top access, which could otherwise lead to infinite polling loops.
| var data = JSON.parse(request.responseText); | ||
| if (data.isFinished && data.href) { | ||
| window.location.href = data.href; | ||
| (window.top || window).location.href = data.href; |
There was a problem hiding this comment.
Using location.replace() is recommended for redirects after a payment process to prevent the "waiting" page from being stored in the browser history. This ensures that if a user clicks the "Back" button from the order confirmation page, they aren't returned to the polling script.
Additionally, the current implementation might cause an infinite polling loop if the browser blocks access to window.top (e.g., due to security policies or iframe sandbox attributes). Since the redirect is inside a try-catch block that triggers a retry on failure, a blocked breakout will result in repeated failed attempts. Adding a fallback to window.location ensures the redirect still occurs within the iframe if the breakout fails.
try {
(window.top || window).location.replace(data.href);
} catch (e) {
window.location.replace(data.href);
}
Address review feedback on PR #325: - Use location.replace() so the polling page is not stored in history (Back from order-confirmation should not return to the spinner). - Wrap window.top access in try/catch with an in-iframe fallback in case sandboxing or browser policy blocks the breakout.
e0570d9
into
SL-346/accessibility-eaa-compliance
Summary
views/templates/front/saferpay_wait.tplnavigated the iframe itself viawindow.location.href, leaving the parent window stuck on/module/saferpayofficial/iframe?...while the cart or order-confirmation page rendered nested inside the iframe.(window.top || window).location.hrefso the top window navigates, matching the iframe-breakout pattern already used inviews/js/front/saferpay_iframe.js.Test plan
paymentBehaviorWithout3D = Cancel): browser lands at top-level/gb/cart?action=showwith the standard "We couldn't authorize your payment" notice (no nested chrome)./gb/order-confirmation?id_cart=...&id_order=...&key=...;ps_saferpay_ordershowsauthorized=1, captured=1; PS order state 21 (Payment completed by Saferpay).