automatic credit card filling disabled (eway, payment in https iframe)
Reported by
mi...@mikelward.com,
Jun 4 2016
|
|||
Issue descriptionUserAgent: Mozilla/5.0 (X11; CrOS x86_64 8172.47.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Platform: 8172.47.0 (Official Build) beta-channel tricky Steps to reproduce the problem: 1. Go to http://www.sexparty.org.au/get-involved/donate 2. Click Donate 3. Type "4" in the credit card field to try to start auto fill What is the expected behavior? It shows a list of stored credit cards. What went wrong? It says "Automatic credit card filling is disabled because this form does not use a secure connection". Did this work before? N/A Chrome version: 51.0.2704.79 Channel: beta OS Version: 8172.47.0 Flash Version: Shockwave Flash 21.0 r0 It looks like payment form is an iframe created dynamically when clicking the Donate button, and the iframe itself is served over https. The page that spawns the payment form is served over http, but presumably isn't involved in the actual payment processing.
,
Jun 5 2016
Thank you for the report. This behavior is intentional; the top-level page also needs to be served over HTTPS. If there were a MITM attack, it wouldn't be enough for only the iframe to be served over HTTPS because the attacker could simply swap out the iframe for a different one that takes the customer's credit card information.
,
Jun 27 2017
|
|||
►
Sign in to add a comment |
|||
Comment 1 by mi...@mikelward.com
, Jun 4 2016