XSS POST to GET transform prevents 3-D Secure payments

[skt27]

The 3-D Secure standard (http://en.wikipedia.org/wiki/3-D_Secure) will redirect the cardholder during the shopping to the access control server of his card issuing bank. This redirect is done with a form-submission to a another domain than the shop.

Following post-parameters are necessary on the ACS:
PaReq (base64 encoded, signed XML document)
MD (session identifier)
TermUrl (return url to the shop)

After cardholder authentication on the ACS, the cardholder's browser must return to the shop-system. This is done with a form-submission to the above mentioned TermUrl. On this page following post-parameters are necessary:
PaRes (Base64 encoded, signed XML document)
MD (same session identifier as above)

With a standard-configuration of the great NoScript-Plugin no 3DS-payment is possible.


Thanks for investigation/thinking about.
Thomas

[GµårÐïåñ]

Sites using this can offer a notice to their users that if they are using NoScript, they should put <insert regex here> into their exceptions list so they can successfully proceed with checkout, a visually driven instruction for more novice users might help. I suppose if Giorgio finds this to be a common and super problematic problem, he can make the exception default in the future releases of NS like he has for wiki but this is just my two cents.