Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Yoroi extension (incorrectly?) adding fields to payment form #2750

Open
marcobaldo opened this issue Feb 25, 2022 · 5 comments
Open

Yoroi extension (incorrectly?) adding fields to payment form #2750

marcobaldo opened this issue Feb 25, 2022 · 5 comments
Assignees

Comments

@marcobaldo
Copy link

marcobaldo commented Feb 25, 2022

I suddenly started getting invalid card number errors when entering my details in this form. This is form is not from Yoroi but from a payment service popular in the Philippines. If I disable the extension and refresh the page, the field borders now suddenly look correct. See screenshots.

image

Notice the form borders. The expiry dates are also correctly rendered as dropdowns.
image

@marcobaldo marcobaldo changed the title Yoroi extension (incorrectly?) adding fields to payment Yoroi extension (incorrectly?) adding fields to payment form Feb 25, 2022
@vsubhuman
Copy link
Contributor

O_o

@vsubhuman
Copy link
Contributor

Thank you for the report, @marcobaldo! This is weird as heck, but we'll into any technical possibilities for this happening. Would be very helpful if you can provide the details on which browser you are using and which website is that where you have this issue happening, if possible of course.

@marcobaldo
Copy link
Author

marcobaldo commented Feb 25, 2022

Hi @vsubhuman, I'm using Chrome.

Version 98.0.4758.102 (Official Build) (64-bit)
Windows 10 Pro 21H1, 19043.1526

Not sure if you can get to the site as it's a payment form redirect from a checkout page with POST-ed data (kinda like Stripe checkout used by local businesses), but the URL is https://pesopay.com/b2c2/eng/payment/payForm2.jsp

Happy to provide other details if you need it.

Edit: I can provide a diff/side by side of the resulting HTMLs if that helps. Let me just remove identifiers.

@marcobaldo
Copy link
Author

Unfortunately these are the only things I can provide.

The diffs are a bit useless as only titles seem changed on the main page - the form fields are inside iframes. This is what they look like. (left with extension disabled, right enabled)
image

It seems they render each field inside individual iframes which also trigger the extension (?).

Attached are two files:

  1. html.txt - The original server response. This is identical with extensions enabled/disabled. I just replaced all potential sensitive info with "xxxxxx". There's a session.js included at the top that seems to be responsible for rendering the iframes.
  2. iframe.txt - One resulting iframe with the extension enabled. With it disabled, the only difference is the input right after isn't there.

html.txt
iframe.txt

@aatsindev
Copy link

@vsubhuman seems like the connector is injected in the iframes aswell instead of being limited to the top window?

Correct me if I'm wrong but if there's no usage of the connector inside an iframe, we can limit that by checking if we're on the top window and include the scripts only if true.

Any dex or partner using an iframe to load the connector?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants