I’m working on a website which takes payment from a customer. I’m using Kohana 2.3.4 and have created a library to handle the payment gateway I use (www.eway.com.au). Basically I’m just using their sample code, copied into it’s own class.
Anyway, the code works fine and I can make payments, etc. The issue I have is when the payment gateway is returning the user to my site. The payment gateway uses HTTPS so that is secure, and it is sending the user back to a HTTPS page on my site.
However I have the NoScript plugin installed in Firefox, and when I get sent back to the page on my website (which also handles storing the transaction data) I get an error message saying that NoScript has blocked a potential XSS attack.
Now I understand why it’s unsecure (POST data being sent across two different domains) but what should I be doing instead? Obviously during my testing here I temporarily disable NoScript and it all works fine, but I can’t rely on that for the end users.
What’s the best practice here?
This is the way most payment gateways operate. If your gateway does not provide you with another way of handling transmitted data, then you’re stuck with it.
On the other hand: Don’t worry too much. Depending on your audience, most users won’t have NoScript installed. And those that do, will hopefully know what to do in such a situation.