webcompat / web-bugs

A place to report bugs on websites.
https://webcompat.com
Mozilla Public License 2.0
746 stars 67 forks source link

raileurope.co.uk - Unable to process payment on raileurope.co.uk #44639

Closed andreastt closed 4 years ago

andreastt commented 5 years ago

URL: https://raileurope.co.uk/en/payment/new

Browser / Version: Firefox 72.0 Operating System: Mac OS X 10.15 Tested Another Browser: Unknown

Problem type: Site is not usable Description: Unable to process payment on raileurope.co.uk Steps to Reproduce:

Steps to reproduce

  1. Put any train ticket (e.g. London to Blackheath) in your basket
  2. Attempt to pay for the ticket using an invalid credit card number (though if you’re feeling lucky you may optionally pay for a train ticket you have no intention of using)
  3. Observe that a modal dialogue appears with the title Payment authorisation

Expected behaviour

For the payment authorisation dialogue to disappear and the site to inform you that the credit card was declined.

Actual behaviour

An <iframe> inside the payment authorisation dialogue displays a CSP warning with the following message:

Blocked by Content Security Policy

An error occurred during a connection to api.braintreegateway.com.

Nightly prevented this page from loading in this way because the page has a content security policy that disallows it.

I observed the following error and wraning got emitted to the browser console when the page is loaded:

_[error]_ The resource from “https://td.yieldify.com/yieldify/code.js?w_uuid=2a145426-395…9bcddcba689&k=1&loca=https://raileurope.co.uk/en/payment/new” was blocked due to MIME type (“application/json”) mismatch (X-Content-Type-Options: nosniff).
_[warn]_ Loading failed for the <script> with source “https://td.yieldify.com/yieldify/code.js?w_uuid=2a145426-395…9bcddcba689&k=1&loca=https://raileurope.co.uk/en/payment/new”.

As you attempt to place the order (pay for the tickets) I additionally observe this warning and error:

XHRPOSThttps://raileurope.co.uk/en/payment/client_event
[HTTP/2.0 200 OK 225ms]

XHRPOSThttps://payments.braintree-api.com/graphql
[HTTP/2.0 200 OK 100ms]

XHRPOSThttps://client-analytics.braintreegateway.com/bkhsm496zxdwq7ff
[HTTP/1.1 200 OK 886ms]

XHRPOSThttps://client-analytics.braintreegateway.com/bkhsm496zxdwq7ff
[HTTP/1.1 200 OK 903ms]

XHRPOSThttps://client-analytics.braintreegateway.com/bkhsm496zxdwq7ff
[HTTP/1.1 200 OK 655ms]

XHRPOSThttps://client-analytics.braintreegateway.com/bkhsm496zxdwq7ff
[HTTP/1.1 200 OK 658ms]

XHROPTIONShttps://api.braintreegateway.com/merchants/bkhsm496zxdwq7ff/client_api/v1/payment_methods/tokencc_bh_vn92f2_6khmf4_hn2ymd_s3md45_jwz/three_d_secure/lookup
[HTTP/1.1 200 OK 843ms]

POSThttps://www.facebook.com/tr/
[HTTP/2.0 200 OK 34ms]

XHRPOSThttps://api.braintreegateway.com/merchants/bkhsm496zxdwq7ff/client_api/v1/payment_methods/tokencc_bh_vn92f2_6khmf4_hn2ymd_s3md45_jwz/three_d_secure/lookup
[HTTP/1.1 201 Created 1746ms]

POSThttps://c.contentsquare.net/events?v=9.1.0&sr=100&mdh=988&re=1&pn=4&uu=98ad25dd-baea-ae30-c0b5-e036d593ac67&sn=5&lv=1573654628&lhd=1573654628&hd=1573654853&pid=2918&str=831&di=1512&dc=3451&fl=3455&eu=%5B%5B2%2C776969%2C661%2C204%5D%2C%5B2%2C777751%2C634%2C204%5D%2C%5B2%2C778155%2C21%2C225%5D%2C%5B2%2C817901%2C1087%2C145%5D%2C%5B2%2C819052%2C1079%2C145%5D%2C%5B2%2C819453%2C485%2C313%5D%2C%5B2%2C819853%2C21%2C272%5D%2C%5B2%2C820255%2C9%2C272%5D%2C%5B2%2C1336875%2C858%2C517%5D%2C%5B2%2C1337276%2C548%2C383%5D%2C%5B2%2C1337684%2C541%2C378%5D%2C%5B1%2C1338111%2C0%2C0%2C483%5D%2C%5B1%2C1340032%2C0%2C0%2C405%5D%2C%5B1%2C1340262%2C0%2C0%2C184%5D%2C%5B6%2C1341399%2C608%2C865%2C%22li%23order_submit_action%3Ebutton%3Aeq(0)%22%5D%2C%5B2%2C1341412%2C608%2C865%5D%2C%5B3%2C1341874%2C608%2C865%2C%22li%23order_submit_action%3Ebutton%3Aeq(0)%22%5D%2C%5B4%2C1341933%2C608%2C865%2C%22li%23order_submit_action%3Ebutton%3Aeq(0)%22%5D%2C%5B5%2C1341971%2C608%2C865%2C%22li%23order_submit_action%3Ebutton%3Aeq(0)%22%5D%2C%5B7%2C1342048%2C608%2C865%2C%22li%23order_submit_action%3Ebutton%3Aeq(0)%22%5D%2C%5B2%2C1342514%2C608%2C862%5D%2C%5B2%2C1342914%2C592%2C13%5D%2C%5B2%2C1343318%2C592%2C0%5D%5D
[HTTP/1.1 200 OK 2070ms]

GEThttps://assets.braintreegateway.com/web/3.46.0/html/three-d-secure-bank-frame.min.html?showLoader=false
[HTTP/1.1 200 OK 0ms]

XHRPOSThttps://raileurope.co.uk/en/payment/client_event
[HTTP/2.0 200 OK 88ms]

XHRPOSThttps://c.paypal.com/v1/r/d/b/e
[HTTP/1.1 200 OK 2485ms]

POSThttps://1eaf.cardinalcommerce.com/EAFService/jsp/v1/redirect
[HTTP/1.1 200  506ms]

GEThttps://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js
[HTTP/2.0 200 OK 0ms]

GEThttps://1eaf.cardinalcommerce.com/EAFService/includes/js/framedata.js
[HTTP/1.1 200  0ms]

GEThttps://1eaf.cardinalcommerce.com/EAFService/jsp/v1/profile?payload=P.33e672e8dd12f59af8d5f3121a524235d8135ff7a9de4e8a070ba68cde916dc84515356c6584d7b83733b20fd25e444dcb405e2cbbd430601b3effee2430dba465b2e820915630c5c0da3678ac6d1944
[HTTP/1.1 200  105ms]

POSThttps://www.clicksafe.lloydstsb.com/lloyds/tdsecure/opt_in_dispatcher.jsp?partner=debit&VAA=B
[HTTP/1.1 200 OK 230ms]

GEThttps://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js
[HTTP/2.0 200 OK 0ms]

GEThttps://1eaf.cardinalcommerce.com/EAFService/includes/js/fingerprint2.min.js
[HTTP/1.1 200  0ms]

GEThttps://1eaf.cardinalcommerce.com/EAFService/includes/js/profile.min.js
[HTTP/1.1 200  0ms]

XHRPOSThttps://1eaf.cardinalcommerce.com/EAFService/v1/saveProfilingData
[HTTP/1.1 200  97ms]

GEThttps://www.clicksafe.lloydstsb.com/lloyds/jscript_lib/TDSecure_functions.jsp
[HTTP/1.1 200 OK 16ms]

GEThttps://www.clicksafe.lloydstsb.com/lloyds/jscript_lib/dfp.js
[HTTP/1.1 200 OK 143ms]

GEThttps://www.clicksafe.lloydstsb.com/static/lloyds/css/TDSecure.css
[HTTP/1.1 200 OK 0ms]

POSThttps://www.clicksafe.lloydstsb.com/lloyds/tdsecure/intro.jsp
[HTTP/1.1 200 OK 425ms]

GEThttps://www.clicksafe.lloydstsb.com/static/lloyds/css/TDSecure.css
[HTTP/1.1 200 OK 0ms]

GEThttps://www.clicksafe.lloydstsb.com/lloyds/jscript_lib/TDSecure_functions.jsp
[HTTP/1.1 200 OK 18ms]

GEThttps://www.clicksafe.lloydstsb.com/lloyds/jscript_lib/dfp.js
[HTTP/1.1 200 OK 28ms]

POSThttps://1eaf.cardinalcommerce.com/EAFService/jsp/v1/term
[HTTP/1.1 200  106ms]

XHRPOSThttps://1eaf.cardinalcommerce.com/EAFService/v1/saveMouseData
[HTTP/1.1 200  94ms]

XHRPOSThttps://1eaf.cardinalcommerce.com/EAFService/v1/savePageData
[HTTP/1.1 200  96ms]

POSThttps://api.braintreegateway.com/merchants/bkhsm496zxdwq7ff/client_api/v1/payment_methods/56cdc086-c01b-0aa3-fcef-4f3df7446af2/three_d_secure/authenticate?authorization_fingerprint=e33055e5ba517cf5f3a8f7db727919ef80e11be3f74141849b150ab5e7a91e6b%7Ccreated_at%3D2019-11-13T14%3A20%3A51.788104187%2B0000%26merchant_account_id%3Dpatloco2com%26merchant_id%3Dbkhsm496zxdwq7ff%26public_key%3D4wvmkbbr8yfzmygd&authorization_fingerprint_64=ZTMzMDU1ZTViYTUxN2NmNWYzYThmN2RiNzI3OTE5ZWY4MGUxMWJlM2Y3NDE0MTg0OWIxNTBhYjVlN2E5MWU2YnxjcmVhdGVkX2F0PTIwMTktMTEtMTNUMTQ6MjA6NTEuNzg4MTA0MTg3KzAwMDAmbWVyY2hhbnRfYWNjb3VudF9pZD1wYXRsb2NvMmNvbSZtZXJjaGFudF9pZD1ia2hzbTQ5Nnp4ZHdxN2ZmJnB1YmxpY19rZXk9NHd2bWtiYnI4eWZ6bXlnZA%3D%3D&three_d_secure_version=3.46.0&authentication_complete_base_url=https%3A%2F%2Fassets.braintreegateway.com%2Fweb%2F3.46.0%2Fhtml%2Fthree-d-secure-authentication-complete-frame.html%3Fchannel%3Dec31ed84-fa7a-45c7-a016-f3a5bf064a32%26
[HTTP/1.1 302 Found 928ms]

Content Security Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive.
XHRPOSThttps://1eaf.cardinalcommerce.com/EAFService/v1/saveMouseData
[HTTP/1.1 200  94ms]

XHRPOSThttps://1eaf.cardinalcommerce.com/EAFService/v1/savePageData
[HTTP/1.1 200  96ms]

No strings exist for this error type aboutNetError.js:400:13

Screenshot Description

Browser Configuration
  • None

From webcompat.com with ❤️

andreastt commented 5 years ago

Screenshot Description

Screenshot Description

Screenshot Description

andreastt commented 5 years ago

For additional context, the problem is not reproducible in Firefox stable (70.0.1) or in Safari (13.0.3 15608.3.10.1.4).

I wonder if this is due to a change in CSP policy in Firefox, and whether this policy change is expected.

andreastt commented 5 years ago

The problem is also not reproducible in Chrome Canary (80.0.3966.0).

cipriansv commented 4 years ago

Thank you for your report @andreastt.

Moving to needsdiagnosis for further investigations.

karlcow commented 4 years ago

@andreastt could you check if it's a duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=1584993

That looks a lot like #44013

andreastt commented 4 years ago

@karlcow Do you know where/how to get a build immediately prior to https://bugzilla.mozilla.org/show_bug.cgi?id=1584993 to test this?

karlcow commented 4 years ago

I remember Xidorn once sharing a tip for this

FWIW, I always find that the easiest way to run some build is using mozregression's "Run a single build", which would take care of downloading, unpacking, and creating a new profile for it.

In this case, you'd want to choose "try" and input changeset "b5a512aaef49".

so if check the changelog https://hg.mozilla.org/integration/autoland/log/e21ad27bfd0a2fef90919101eaef5aa5af1cc6c2

Probably the one you are looking for is: d9d678e7422e0fbf84160b6060452910e8deeb33

karlcow commented 4 years ago

@andreastt did you have a chance to test?

karlcow commented 4 years ago

ok it has been one month. I'm closing this as incomplete, but @andreastt do not hesitate to ping us again when you test it.

lock[bot] commented 4 years ago

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue at https://webcompat.com/issues/new if you are experiencing a similar problem.