Thanks for responding. Unfortunately, now that I've integrated DPM with my site, I'm more confident that the current implementation requiring an HTML refresh/redirect is less than ideal. In addition to not being "correct", it requires integrating sites to implement more code. Worst of all, it unnecessarily interrupts what would otherwise be seamless integration. I had previously been using an advanced integration method (payment form submitted to my server) via ActiveMerchant. Before DPM integration, as a user, if I submitted a valid payment form, I would immediately see a confirmation page. With DPM, I see an intermediate page splash followed by an automatic redirect to the confirmation page. Now of course, as you mention, the intermediate page can be customized, but I don't need or want to see/wait for it at all. Integrating DPM has had a negative impact on the user experience.
"I think the idea is to give you control over the response, but not give you the ability to set headers, which could result in a lot of exploitation. "
There are no additional exploits that I'm aware of that would be introduced by allowing the "relay response" response to include a custom response header providing a redirect location for authorize.nets 303 response to the user's browser. Alternatively, the same could be accomplished via a text/plain response with the redirect location in the body, JSON, etc..
Anyway, it seems it would be a trivial change to support HTTP redirects as an alternative to the current implementation and I believe it would support a better user experience and truly seamless integration. Is there a recommended channel beyond posting to this list that I can pursue?
-lenny