Yoroi extension (incorrectly?) adding fields to payment form
marcobaldo opened this issue · 5 comments
I suddenly started getting invalid card number errors when entering my details in this form. This is form is not from Yoroi but from a payment service popular in the Philippines. If I disable the extension and refresh the page, the field borders now suddenly look correct. See screenshots.
Notice the form borders. The expiry dates are also correctly rendered as dropdowns.
O_o
Thank you for the report, @marcobaldo! This is weird as heck, but we'll into any technical possibilities for this happening. Would be very helpful if you can provide the details on which browser you are using and which website is that where you have this issue happening, if possible of course.
Hi @vsubhuman, I'm using Chrome.
Version 98.0.4758.102 (Official Build) (64-bit)
Windows 10 Pro 21H1, 19043.1526
Not sure if you can get to the site as it's a payment form redirect from a checkout page with POST-ed data (kinda like Stripe checkout used by local businesses), but the URL is https://pesopay.com/b2c2/eng/payment/payForm2.jsp
Happy to provide other details if you need it.
Edit: I can provide a diff/side by side of the resulting HTMLs if that helps. Let me just remove identifiers.
Unfortunately these are the only things I can provide.
The diffs are a bit useless as only titles seem changed on the main page - the form fields are inside iframes. This is what they look like. (left with extension disabled, right enabled)
It seems they render each field inside individual iframes which also trigger the extension (?).
Attached are two files:
- html.txt - The original server response. This is identical with extensions enabled/disabled. I just replaced all potential sensitive info with "xxxxxx". There's a session.js included at the top that seems to be responsible for rendering the iframes.
- iframe.txt - One resulting iframe with the extension enabled. With it disabled, the only difference is the input right after isn't there.
@vsubhuman seems like the connector is injected in the iframes aswell instead of being limited to the top window?
Correct me if I'm wrong but if there's no usage of the connector inside an iframe, we can limit that by checking if we're on the top window and include the scripts only if true.
Any dex or partner using an iframe to load the connector?