I work on an ecommerce platform that integrates with the Authorize.net hosted payment/hosted customer profile pages. Integration has been working fine in nightly UI tests for the last six months.
Last night, all of our tests failed with a content security policy error indicating that test.authorize.net refused to connect because the Content-Security-Policy header set on the response from https://test.authorize.net/ has the frame-ancestors directive set to 'none'. Obviously that's not going to work for an iframe implementation, so I'm trying to figure out if there's some kind of setting I can configure in the merchant portal to allow the domain(s) for my site to frame the hosted profile page.
This is the full Content-Security-Policy header being returned:
default-src 'self'; form-action 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content
I don't see anything in the merchant portal or in their documentation about configuring valid frame ancestors, and nothing about our integration has changed in the last several months, so, without knowing how that header is being constructed on their end, it seems like they all of a sudden set a CSP header that will break any iframe implementation.
I tried looking through their documentation, specifically the "Accept Hosted" developer guide here, but I didn't see anything about content security policy. If it's now a requirement to specify a list of valid ancestors somewhere, I was expecting to be able to find some documentation indicating where/how to do that.
UPDATE: Someone added a similar thread on the Authorize.net developer forum, so may be worth upvoting that if you came here looking for answers. Will update this post if anything comes out of that forum discussion.
This appears to have been resolved in the sandbox area overnight. I am no longer seeing a Content-Security-Policy header on the response when I POST to the https://test.authorize.net/customer/addPayment endpoint, and the issue is no longer occurring in my site. However, some have commented in the Authorize.net developer forum (link in update to question) that the issue is occurring for them in production today.
Best I can tell, Authorize.net started setting the frame-ancestors directive on the content security policy header in a manner incompatible with the iframe integration methods for their "Accept Hosted" endpoints and have now reverted that change.