Got interrupted by a call from a friend who wouldn’t wait.
The reason it isn’t good is probably tied to the fact that you have a url that has to be set in your API call. It has to match the url of the page hosting the iframe. Being a mass market product, your clients will have a variety of site names. The workaround there is to have in their admin setting a place for them to enter the address of their homepage, and then to have the file where the iframe is located have the same name and relative location for everyone. Have it set so that when they copy and paste their homepage url in their admin area, it gets tied to a constant in your application. Then you could dynamically set the file path.
So for instance, you might have the payment page in a folder called payment, one folder down from the root. Your client has
https://redcartstore.com. They paste this in their admin, and it gets tied to a constant “BASE_URL” or some such name. Then in the prefab API call you build into your app, you would have the url set to BASE_URL . “/payment/checkout.php
There would have to be some intermediate sanitization steps to prevent people from
Breaking things. Some might copy a url that ends with index.php. You’d want to axe that. You’d also want to make sure it is consistent whether Urls end with a / or not, as this would determine how you reference the relative path.
The other thing that will get you is what I mentioned before, them being able to add styling and content customizations. It is possible for them to make the payment page not fully visible. For that I would design your app and then pretend to be your clients and try to break it in every way you can think of. A dozen or so iterations of deliberately breaking it would give you an idea of the constraints you need to put in.