Integration and Testing

Authorize.Net API questions and help with your payment integration.

Reply
Member
Posts: 4
Registered: ‎03-28-2018

Sameorigin issue

I m getting this issue on Chrome in  Authorize.Net Accept Hosted form but wrk in firefox

 

Refused to display 'https://mysiteurl.com/scripts/IFrameCommunicator.html#action=resizeWindow&width=1000&height=301' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

 

pls help  on this what can i do ?

Member
Posts: 7
Registered: ‎03-07-2018

Re: Sameorigin issue

Your browser isn't allowing the iframe communicator page to be loaded in an iFrame because your server's webserver (apache or nginx probably) is setting a response header indicating that shouldn't be allowed.

 

Specifically, the webserver is setting the "X-Frame-Options" header to be "sameorigin", which means the browser should only load its content in an iframe if the referring page is also on "mysiteurl.com"... and because the iframe communicator page is being loaded in an iframe inside the authorize.net page (which was loaded as an iframe on your page) the iframe communicator page is not on the same domain as the authorize.net page.

 

The solution is to prevent your webserver from setting that header, or set it to allow requests from authorize.net. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options, especially where it says how to configure Apache or nginx to set the header.

 

If anyone knows of an easier fix, I'm all ears. But so far that's the best I can find.

Highlighted
Member
Posts: 1
Registered: ‎08-27-2021

Re: Sameorigin issue

X-Frame-Options is a header included in the response to the request to state if the domain requested will allow itself to be displayed within a frame. It has nothing to do with javascript or HTML, and cannot be changed by the originator of the request. You can't set X-Frame-Options on the iframe. That is a response header set by the domain from which you are requesting the resource . They have set the header to SAMEORIGIN in this case, which means that they have disallowed loading of the resource in an iframe outside of their domain. So you cannot embed their website into yours. Browsers when see that the response header contains X-Frame-Options: SAMEORIGIN, they check your domain and block the rendering of the <iframe>. It is a security measure to avoid clickjacking.