Referrer-Policy: no-referrer breaks hosted fields on latest Chrome

[justinbeaty]

General information

• SDK version: 3.88.1
• Environment: Sandbox & Production
• Browser and OS: Chrome 106.0.5249.119 on Windows 10

Issue description

I am not sure exactly when this broke, but within the last week I've had a few customers not be able to checkout using our hosted fields integration on Chrome.

On my server, I send Referrer-Policy: no-referrer, and have done this for the past 1.5 years. However, it is now not working because of code in https://assets.braintreegateway.com/web/3.88.1/html/hosted-fields-frame.min.html:formatted:

function C() {
    return document.referrer.replace(/(^\/|\/$)/g, "")
}
function w(e) {
    var t, n = C();
    return (t = t || document.createElement("a")).href = e,
    t.origin === n
}

Which looks like the verifyDomain arg for braintree/framebus. In this case, n = '' since document.referrer is empty.

I tested MS Edge 106.0.1370.52 and it was working there, but it looks like the above code isn't in the HTML served to MS Edge. I wasn't aware originally that different content was being served to different browsers, but that looks to be the root issue.

In any case, I just changed the referrer policy to strict-origin-when-cross-origin and it works now. I am not sure if this is a wontfix situation, since checking the framebus's origin was probably intentional for security, but I figured it warranted a bug report.

[hollabaq86]

👋 @justinbeaty thanks so much for this thorough report! It has, indeed, been very helpful.

Can you please contact Braintree Support referencing this issue and provide the following (if you have it):

You mentioned getting inbounds from your customers within the last week. Can you provide specific dates/times when your customer contacted you? Can you confirm you have been using v3.88.1 during this time? Any other versions? Any others browsers you are aware of encountering this issue other than Chrome? Your CSP settings (if you feel comfortable sharing with Support)

This will absolutely help our investigation.

[anthony-keller]

We're seeing the same issue across Edge, Chrome and FireFox. e.g.

We've tried setting our referrer policy to strict-origin-when-cross-origin but still have the issue. The last successful payment was 2022-10-03 21:44:39 +00:00. We were on v3.65.0 but still have the issue on 3.88.2.

Using Sandbox we can successfully make a payment despite the errors.

If I attempt a $1 transaction using a Visa in production, our 3DSecure returns liabilityShifted and liabilityShiftPossible as false which we interpret as a fail and abort the payment.

We will raise a support ticket and reference this issue.

[anthony-keller]

Update

We removed our check of liabilityShifted and liabilityShiftPossible and now credit card payments are going through. It seems that on or about 2022-10-03 21:44:39 +00:00 something changed with 3DS that has resulted in all of our customer's cards returning false for those properties.

[cgdibble]

@justinbeaty we apologize for the issue. We have since patched this bug, thank you for reporting this!

[justinbeaty]

@cgdibble Thanks for patching this. I may just keep strict-origin-when-cross-origin instead of no-referrer anyways, but it's good to know I could change it back.