1

So I'm writing a project using Symfony + Sylius. I have a form which gets submitted via ajax to a /{paymentId}/pay route, this in turn calls the payum controller which handles the payment and sends a redirect to /payment/capture/{token} which then redirects again to display a card details form, this card details form is loaded in an iFrame. However, the route for /payment/capture is served via http and therefore never appears in the iFrame due to this error: 

Mixed Content: The page at 'https://www.example.com/checkout/complete' was loaded over HTTPS, but requested an insecure form action 'http://www.example.com/payment/capture/SOMETOKENVALUE'. This request has been blocked; the content must be served over HTTPS.

How can I force the payment/capture route to server https? I've tried a few things such as adding

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

to my templates and setting the scheme requirement in my order.yml:

sylius_shop_order_pay:
    path: /{paymentId}/pay
    methods: [GET]
    defaults:
        _controller: sylius.controller.payum:prepareCaptureAction
        requirements:
            _scheme:  https
        _sylius:
            redirect:
                route: sylius_shop_order_after_pay

sylius_shop_order_after_pay:
    path: /after-pay
    methods: [GET]
    defaults:
        _controller: sylius.controller.payum:afterCaptureAction
        requirements:
            _scheme:  https

However since the actual /payment/capture route is generated at run time, I'm not sure if I can force it onto https.

I have also tried via access control: 

access_control:

    - { path: ^/payment, role: ROLE_NO_ACCESS, requires_channel: https}

Any help would be greatly appreciated. Thanks

EDIT:

complete.html.twig:

    {{ form_start(form, {'action': path('sylius_shop_checkout_complete'), 'attr': {'class': 'ui loadable form final-step', 'novalidate': 'novalidate', 'target' : 'card-details'}}) }}
    {{ form_errors(form) }}
    <input type="hidden" name="_method" value="PUT" />
    {% include 'SyliusShopBundle:Common/Order:_summary.html.twig' with {'edit': true} %}

    {{ form_row(form._token) }}
    {{ form_end(form, {'render_rest': false}) }}

    <iframe width="100%" height="670px" name="card-details" style="border: none;"></iframe>

checkout.js:

let form = jQuery("form[name='sylius_checkout_complete']");

if (form.length) {
    form.submit()
}
UUake Up
  • 390
  • 4
  • 17
  • `to display a card details form, this card details form is loaded in an iFrame` post the relevant code/template please – Xymanek Oct 11 '17 at 09:31
  • question updated – UUake Up Oct 11 '17 at 09:50
  • What is the url generated for `sylius_shop_checkout_complete`? – Xymanek Oct 11 '17 at 11:08
  • /checkout/complete, same page as where form is loaded. – UUake Up Oct 11 '17 at 11:22
  • I'm confused then, what generates the folowing url: `http://www.example.com/payment/capture/SOMETOKENVALUE`? – Xymanek Oct 11 '17 at 11:23
  • found the route that does and overrode it to force https: `payum_capture_do: path: /payment/capture/{payum_token} defaults: { _controller: sylius.controller.payum.capture:doAction } schemes: [https] ` The only problem is now I get too many redirects -.- – UUake Up Oct 11 '17 at 13:18

0 Answers0