Sagepay ACS Providers being blocked by CSP - opayo

We have an integration with sagepay where we load sagepay url within an iframe in our web-application. We do have *.sagepay.com defined in the frame-src directive of our CSP policy for the iframe.
However, recently our customers started reporting this error where the request was being blocked by the browser (Chrome) due to error: The page's setting blocked the loading of resource at https://***.touchtechpayments.com. This specifically happens on 3D secure validation. On contacting sagepay we were told that touchtechpayments is one of the ACS providers for Mastercard and needs to be allowed for Secure3D. However, they do not have a full list of all ACS providers.
I did add the above provider to our CSP allow list, however, we started getting reports of other providers(*.arcot.com) being blocked due to CSP .
Now, I am not sure what is the best way to handle this, and sagepay support is kind of clueless too. On searching Mastercard/Visa, we found a list of CSP providers but don't think its practical to add those all to the CSP list and maintain that list.
How do other people deal with this issue? I am sure other people must've faced similar issues with Sagepay integration?

We had the same problem. We had to add sandbox='allow-scripts allow-top-navigation allow-forms' into the iframe nodes.

We've had the same problem, we've ended up setting the: frame-src * CSP for the page that loads the SagePay/Opayo iFrame, otherwise the external providers would get blocked based on our strict default-src policy.
I am not sure if there is anything else you can do. You either list them individually or loosen up the rule.
Setting up: frame-src * shall be OK security-wise, given you trust SagePay. Since you're using them for payments, you certainly do to some degree.

Related

How do I get XHR/Ajax resource timing data from window.performance?

When I open the Firefox "network" tab in the developer tools, I'm able to see the timing data from all the requests my page is making, including application/json (XHR) calls. I want to be able to get this timing information programmatically.
In Selenium, I let my page load fully and then ask the window.performance.getEntries() method for all of the resources. It gives me back a ton, including CSS, javascript, etc, but I don't see the calls to our RESTful services that show up in the Firefox window as "json" requests.
Since Firefox shows them in its Network tab in the developer tools, is a way for me to get them programatically? Our app is an angular app that is not using iframes.
I figured out my issue after a day of googling and trying different things. Thanks to this article I discovered that I needed to add Timing-Allow-Origin: * to the response header of all the services.
Once I did that, the timing information started to appear. It's apparently because the services are hosted at a different domain than my client. I don't understand the ramifications of leaving that header in there so I'll make sure it doesn't get deployed to production.

Cross Domain Requests Confusion

I recently came across the fact that cross domain requests are not considered good. My question is that then how does my browser send login data to websites like Facebook ? Is my computer on the same network domain as Facebook etc?
The same origin policy applies to XMLHttpRequest and similar methods. Facebook and similar apps use JSONP to get around this restriction by exploiting the fact that this policy is not applied to script tags.
http://en.wikipedia.org/wiki/JSONP
Edit: It works sort of like google analytics or ad sites that add code to your page from their server, but the code that they add with JSONP calls a function that you define on your code and passes the response as arguments, so two-way comminication is possible.

Hiding AJAX with JSON communication from user

We are currently working on a web client that communicates with the server using AJAX with JSON. The client is based on gwt, and communication is over https.
The communication can be easily inspected by browser tools - is there some reasonable approach to hide this from the user, i.e. securing the protocol?
Other than standard authentication and encryption techniques used by all browsers, whatever method you come up with, it must be initiated by your JavaScript client. This means that a good hacker can deconstruct your JavaScript and figure out how you submit data.
Security usually deals with either third parties trying to intercept communication or pose as legitimate users, or malicious users trying to get access to where they are not supposed to. Once you verified that a user is legitimate, why would you try to hide user's data from the user? Maybe you can describe your use case.
EDIT:
The only way to prevent bots is to ask a question that only a human can answer (e.g. Captcha) somewhere in the workflow (i.e. before submitting important data). It's usually annoying for users, but there is no other way. Since you build a gaming platform, ask your designer to come up with some fun verification.
Just to Round off Security Checklist
1) HTTPS - you have got it set up already :)
2) Json and XSS/XSRF Web Security -
https://developers.google.com/web-toolkit/articles/security_for_gwt_applications#json-xsrf
https://developers.google.com/web-toolkit/articles/security_for_gwt_applications#json
3) BOT attacks - A decent captcha - Captcha in GWT Widget
4) Miscellaneous - https://groups.google.com/forum/?fromgroups=#!topic/google-web-toolkit/_gViO5aZ-WQ

Google Calendar can't subscribe to icalendar feed over https?

Would someone happen to know if Google Calendar has some problems subscribing to iCalendar feeds served on a secure https-address?
I'm developing a website running on an https-address that has an iCalendar feed that users can subscribe to. The feed works just fine in Outlook and iCal, but not in Google Calendar. When a user attempts to subscribe to the feed, they get the error message "Could not fetch the URL".
I suspected that there was something wrong with the feed or the generated iCalendar data, so I ran the .ics file produced through a number of validators, and they were fine. To rule out an error in the feed itself, I put the generated .ics file on the server, to see if a static file would work, and that failed in Google Calendar as well. Then I put the file on a completely different server behind a non-secure (http) url, and that worked!
So I'm beginning to suspect that httpS is the problem. The server's certificate is valid, so that shouldn't be causing any trouble. Besides, the validators could access the feed (and the static file) just fine.
This google groups discussion indicates that others are having similar suspicions: http://productforums.google.com/forum/#!topic/calendar/61-eUd-fyrg
Problem is, the site HAS to run on over https, so I can't just switch to http to make the feed work.
So, if anyone has any information confirming or contradicing my theory, or any ideas about what else might be causing these problems, I would greatly appreciate it.
I can confirm that (today) Google Calendar can successfully subscribe to an HTTPS iCal feed.
You can test this yourself by adding this URL: https://events.stanford.edu/byCategory/2/eventlist.ics
To be extra sure I also did another test of giving it an HTTPS url that didn't also work if you replace the https -> http. That was also fine, so in all cases, HTTPS should work.
What doesn't work in my tests is:
HTTP Authentication (https://myusername:mypw#example.com/) - I got "Could not fetch URL" - but that's not what this question is asking.
Any URL over 256 characters. However, using a link shortener (e.g., goo.gl) works around this issue.
Google has confirmed that it really is an issue with HTTPS, i.e. Google Calendar is unable to subscribe to iCalendar feeds from external encrypted (https) URLs.
My employer has an enterprise account with Google, and we filed a support request with google's enterprise support, with example feeds and our own assesment of the problem.
Today, we finally got a proper answer, confirming our initial analysis and informing us that the correct techincal team has been notified and an internal feature request (for supporting feed from https-urls) has been opened.
We were not given any timeframe for the fix, but I requested that they get back to us when the issue has been resolved. I will add that information to this answer once I receive it.
The issue we've found in our case is that Google Calendar currently ignores the HTTPS indication in the URL and accesses via HTTP instead. If your HTTP requests redirect to HTTPS or just serve up the content over HTTP, then it will work. If you have a firewall blocking port 80, then things hang and its game over.
TL;DR: If your URL works with http in addtion to https, then it will work with Google Calendar when you enter it as https. (That assumes robots.txt does not restrict access.) Otherwise, it will fail.
As of January 2020 the problem appears to be resolved - Google Calendar does not appear to have problems subscribing to and updating valid RFC5545 calendars. The icalender.org validator works well and can test both a file and a link (subscription).
I've been working on creating my own iCal subscription system from scratch and wanted to share something I learned this week, ten years after the start of this discussion.
Like discussed above, importing via URL accepts https:// just fine.
But when creating an "Add to Calendar" URL for Google Calendar I discovered that they still won't accept https:// links.
The "Add to Calendar" URL formula is:
https://calendar.google.com/calendar/u/0/r?pli=1&cid=<iCal-URL-Here>
Some examples to make it clear:
// https will not work:
https://calendar.google.com/calendar/u/0/r?pli=1&cid=https://example.com/ical.ics
// http will work:
https://calendar.google.com/calendar/u/0/r?pli=1&cid=http://example.com/ical.ics
// You may also try using the webcal protocol:
https://calendar.google.com/calendar/u/0/r?pli=1&cid=webcal://example.com/ical.ics
Your mileage may vary depending on your host's handling of unsecured requests. I welcome anyone who runs into trouble to leave a comment.
Before I part, another friendly tip: You need to URI encode your iCal URL when using this import URL.
So, in reality, your link would be:
https://calendar.google.com/calendar/u/0/r?pli=1&cid=http%3A%2F%2Fexample.com%2Fical.ics
In JavaScript, use encodeURIComponent().
if the server has a robots.txt blocking google, this was a cause for failure with google calendar for me too. So, have you tried looking at the robots.txt of your https server?
This being said, is not a limitation of google calendar + https as google calendar provides https for its on "private address" for .ics files and thereof it can also accept https from google.com (though this is only one configuration over many other possible).
I have had a lot of difficulties with this:
It was frustrating because a downloaded file would open in Google Calendar or iCal, but it would not load as feed in either. I would get these errors in Google Calendar when I did add by URL: "Failed to import calendar from" (sitename) or "Could not fetch the URL."
Here's what I had to do:
Have duration or endtime for events, NOT BOTH.
I also had to remove this from the header:
content-disposition: attachment; filename=Schedule.ics;
Also, to check if it's valid, Google ical validator.

How do payment gateway servers close client connection after certain time?

I do not know if stackoverflow is the right place to ask this question. But I have this doubt in my mind for a long time, so I am asking it here.
I have seen many payment gateways that have certain time limit before the page expires or server closes connection. The user is expected to enter the password and complete verification before the page expires. This is not done using session or javascript. So, how does the server close the client connection, without getting any request from the client?
How do you know that the client does not make any requests?
This site uses a mixture html, javascript and browser cookies to manage users connections. So if javascript is disabled it falls back into html/cookies for authentication/login/logout and only admits OpenID credentials.
HTML provides methods for sending/recieving information, so you don't have to rely entirely on JavaScript, although JS certainly improves the experience and features.
Sorry if my answer is somehwat vague, as your question was vague as well.

Resources