Iframe Implementation

 

Internet Explorer and Safari handle third-party content differently. Therefore, you must consider these differences when implementing a standard Secure Acceptance Checkout API implementation or an iframe implementation. Otherwise, payments can fail for customers using these browsers. PayPal Express Checkout is not supported on a Secure Acceptance iframe integration.

 

For the payer authentication 3D Secure 2.x process, ensure that the iframe is large enough to display the issuer’s access control server (ACS) challenge content (at least 390 x 400 pixels). For more information about ACS, see Payer Authentication Using the SCMP API (PDF | HTML).

Clickjacking Prevention

Clickjacking (also known as user-interface redress attack and iframe overlay) is used by attackers to trick users into clicking on a transparent layer (with malicious code) above legitimate buttons or clickable content for a site. To prevent clickjacking, you must prevent third-party sites from including your web site within an iframe.

While no security remediation can prevent every clickjacking, these are the minimum measures you must use for modern web browsers:

■	Set HTTP response header X-FRAME_OPTIONS to either “DENY” or “SAMEORIGIN”.

■	Provide frame-busting scripts to ensure that your page is always the top level window or disabling code for older browsers that do not support X-FRAME_OPTIONS.

You are required to implement the recommended prevention techniques in your web site. See the OWASP clickjacking page and the Cross-Site scripting page for current information.

Web application protections for Cross-site Scripting (XSS), Cross-Site Request Forgery (CSRF), etc. must also be incorporated.

■	For XSS protection, you must implement comprehensive input validation and the OWASP-recommended security encoding library to do output encoding on your web site.

■

For CSRF protection, you are strongly encouraged to use a synchronized token pattern. This measure requires generating a randomized token associated with the user session. The token will be inserted whenever an HTTP request is sent to the server. Your server application will verify that the token from the request is the same as the one associated with the user session.

Iframe Transaction Endpoints

For iframe transaction endpoints and supported transaction types for each endpoint, see Endpoints and Transaction Types.