Issue #44639 | webcompat.com

URL: https://raileurope.co.uk/en/payment/new

Browser / Version: Firefox 72.0
Operating System: Mac OS X 10.15
Tested Another Browser: Unknown

Problem type: Site is not usable
Description: Unable to process payment on raileurope.co.uk
Steps to Reproduce:

Steps to reproduce

Put any train ticket (e.g. London to Blackheath) in your basket
Attempt to pay for the ticket using an invalid credit card number (though if you’re feeling lucky you may optionally pay for a train ticket you have no intention of using)
Observe that a modal dialogue appears with the title Payment authorisation

Expected behaviour

For the payment authorisation dialogue to disappear and the site to inform you that the credit card was declined.

Actual behaviour

An <iframe> inside the payment authorisation dialogue displays a CSP warning with the following message:

Blocked by Content Security Policy

An error occurred during a connection to api.braintreegateway.com.

Nightly prevented this page from loading in this way because the page has a content security policy that disallows it.

I observed the following error and wraning got emitted to the browser console when the page is loaded:

_[error]_ The resource from “https://td.yieldify.com/yieldify/code.js?w_uuid=2a145426-395…9bcddcba689&k=1&loca=https://raileurope.co.uk/en/payment/new” was blocked due to MIME type (“application/json”) mismatch (X-Content-Type-Options: nosniff).
_[warn]_ Loading failed for the <script> with source “https://td.yieldify.com/yieldify/code.js?w_uuid=2a145426-395…9bcddcba689&k=1&loca=https://raileurope.co.uk/en/payment/new”.

As you attempt to place the order (pay for the tickets) I additionally observe this warning and error:

XHRPOSThttps://raileurope.co.uk/en/payment/client_event
[HTTP/2.0 200 OK 225ms]

XHRPOSThttps://payments.braintree-api.com/graphql
[HTTP/2.0 200 OK 100ms]

XHRPOSThttps://client-analytics.braintreegateway.com/bkhsm496zxdwq7ff
[HTTP/1.1 200 OK 886ms]

XHRPOSThttps://client-analytics.braintreegateway.com/bkhsm496zxdwq7ff
[HTTP/1.1 200 OK 903ms]

XHRPOSThttps://client-analytics.braintreegateway.com/bkhsm496zxdwq7ff
[HTTP/1.1 200 OK 655ms]

XHRPOSThttps://client-analytics.braintreegateway.com/bkhsm496zxdwq7ff
[HTTP/1.1 200 OK 658ms]

XHROPTIONShttps://api.braintreegateway.com/merchants/bkhsm496zxdwq7ff/client_api/v1/payment_methods/tokencc_bh_vn92f2_6khmf4_hn2ymd_s3md45_jwz/three_d_secure/lookup
[HTTP/1.1 200 OK 843ms]

POSThttps://www.facebook.com/tr/
[HTTP/2.0 200 OK 34ms]

XHRPOSThttps://api.braintreegateway.com/merchants/bkhsm496zxdwq7ff/client_api/v1/payment_methods/tokencc_bh_vn92f2_6khmf4_hn2ymd_s3md45_jwz/three_d_secure/lookup
[HTTP/1.1 201 Created 1746ms]

POSThttps://c.contentsquare.net/events?v=9.1.0&sr=100&mdh=988&re=1&pn=4&uu=98ad25dd-baea-ae30-c0b5-e036d593ac67&sn=5&lv=1573654628&lhd=1573654628&hd=1573654853&pid=2918&str=831&di=1512&dc=3451&fl=3455&eu=%5B%5B2%2C776969%2C661%2C204%5D%2C%5B2%2C777751%2C634%2C204%5D%2C%5B2%2C778155%2C21%2C225%5D%2C%5B2%2C817901%2C1087%2C145%5D%2C%5B2%2C819052%2C1079%2C145%5D%2C%5B2%2C819453%2C485%2C313%5D%2C%5B2%2C819853%2C21%2C272%5D%2C%5B2%2C820255%2C9%2C272%5D%2C%5B2%2C1336875%2C858%2C517%5D%2C%5B2%2C1337276%2C548%2C383%5D%2C%5B2%2C1337684%2C541%2C378%5D%2C%5B1%2C1338111%2C0%2C0%2C483%5D%2C%5B1%2C1340032%2C0%2C0%2C405%5D%2C%5B1%2C1340262%2C0%2C0%2C184%5D%2C%5B6%2C1341399%2C608%2C865%2C%22li%23order_submit_action%3Ebutton%3Aeq(0)%22%5D%2C%5B2%2C1341412%2C608%2C865%5D%2C%5B3%2C1341874%2C608%2C865%2C%22li%23order_submit_action%3Ebutton%3Aeq(0)%22%5D%2C%5B4%2C1341933%2C608%2C865%2C%22li%23order_submit_action%3Ebutton%3Aeq(0)%22%5D%2C%5B5%2C1341971%2C608%2C865%2C%22li%23order_submit_action%3Ebutton%3Aeq(0)%22%5D%2C%5B7%2C1342048%2C608%2C865%2C%22li%23order_submit_action%3Ebutton%3Aeq(0)%22%5D%2C%5B2%2C1342514%2C608%2C862%5D%2C%5B2%2C1342914%2C592%2C13%5D%2C%5B2%2C1343318%2C592%2C0%5D%5D
[HTTP/1.1 200 OK 2070ms]

GEThttps://assets.braintreegateway.com/web/3.46.0/html/three-d-secure-bank-frame.min.html?showLoader=false
[HTTP/1.1 200 OK 0ms]

XHRPOSThttps://raileurope.co.uk/en/payment/client_event
[HTTP/2.0 200 OK 88ms]

XHRPOSThttps://c.paypal.com/v1/r/d/b/e
[HTTP/1.1 200 OK 2485ms]

POSThttps://1eaf.cardinalcommerce.com/EAFService/jsp/v1/redirect
[HTTP/1.1 200  506ms]

GEThttps://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js
[HTTP/2.0 200 OK 0ms]

GEThttps://1eaf.cardinalcommerce.com/EAFService/includes/js/framedata.js
[HTTP/1.1 200  0ms]

GEThttps://1eaf.cardinalcommerce.com/EAFService/jsp/v1/profile?payload=P.33e672e8dd12f59af8d5f3121a524235d8135ff7a9de4e8a070ba68cde916dc84515356c6584d7b83733b20fd25e444dcb405e2cbbd430601b3effee2430dba465b2e820915630c5c0da3678ac6d1944
[HTTP/1.1 200  105ms]

POSThttps://www.clicksafe.lloydstsb.com/lloyds/tdsecure/opt_in_dispatcher.jsp?partner=debit&VAA=B
[HTTP/1.1 200 OK 230ms]

GEThttps://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js
[HTTP/2.0 200 OK 0ms]

GEThttps://1eaf.cardinalcommerce.com/EAFService/includes/js/fingerprint2.min.js
[HTTP/1.1 200  0ms]

GEThttps://1eaf.cardinalcommerce.com/EAFService/includes/js/profile.min.js
[HTTP/1.1 200  0ms]

XHRPOSThttps://1eaf.cardinalcommerce.com/EAFService/v1/saveProfilingData
[HTTP/1.1 200  97ms]

GEThttps://www.clicksafe.lloydstsb.com/lloyds/jscript_lib/TDSecure_functions.jsp
[HTTP/1.1 200 OK 16ms]

GEThttps://www.clicksafe.lloydstsb.com/lloyds/jscript_lib/dfp.js
[HTTP/1.1 200 OK 143ms]

GEThttps://www.clicksafe.lloydstsb.com/static/lloyds/css/TDSecure.css
[HTTP/1.1 200 OK 0ms]

POSThttps://www.clicksafe.lloydstsb.com/lloyds/tdsecure/intro.jsp
[HTTP/1.1 200 OK 425ms]

GEThttps://www.clicksafe.lloydstsb.com/static/lloyds/css/TDSecure.css
[HTTP/1.1 200 OK 0ms]

GEThttps://www.clicksafe.lloydstsb.com/lloyds/jscript_lib/TDSecure_functions.jsp
[HTTP/1.1 200 OK 18ms]

GEThttps://www.clicksafe.lloydstsb.com/lloyds/jscript_lib/dfp.js
[HTTP/1.1 200 OK 28ms]

POSThttps://1eaf.cardinalcommerce.com/EAFService/jsp/v1/term
[HTTP/1.1 200  106ms]

XHRPOSThttps://1eaf.cardinalcommerce.com/EAFService/v1/saveMouseData
[HTTP/1.1 200  94ms]

XHRPOSThttps://1eaf.cardinalcommerce.com/EAFService/v1/savePageData
[HTTP/1.1 200  96ms]

POSThttps://api.braintreegateway.com/merchants/bkhsm496zxdwq7ff/client_api/v1/payment_methods/56cdc086-c01b-0aa3-fcef-4f3df7446af2/three_d_secure/authenticate?authorization_fingerprint=e33055e5ba517cf5f3a8f7db727919ef80e11be3f74141849b150ab5e7a91e6b%7Ccreated_at%3D2019-11-13T14%3A20%3A51.788104187%2B0000%26merchant_account_id%3Dpatloco2com%26merchant_id%3Dbkhsm496zxdwq7ff%26public_key%3D4wvmkbbr8yfzmygd&authorization_fingerprint_64=ZTMzMDU1ZTViYTUxN2NmNWYzYThmN2RiNzI3OTE5ZWY4MGUxMWJlM2Y3NDE0MTg0OWIxNTBhYjVlN2E5MWU2YnxjcmVhdGVkX2F0PTIwMTktMTEtMTNUMTQ6MjA6NTEuNzg4MTA0MTg3KzAwMDAmbWVyY2hhbnRfYWNjb3VudF9pZD1wYXRsb2NvMmNvbSZtZXJjaGFudF9pZD1ia2hzbTQ5Nnp4ZHdxN2ZmJnB1YmxpY19rZXk9NHd2bWtiYnI4eWZ6bXlnZA%3D%3D&three_d_secure_version=3.46.0&authentication_complete_base_url=https%3A%2F%2Fassets.braintreegateway.com%2Fweb%2F3.46.0%2Fhtml%2Fthree-d-secure-authentication-complete-frame.html%3Fchannel%3Dec31ed84-fa7a-45c7-a016-f3a5bf064a32%26
[HTTP/1.1 302 Found 928ms]

Content Security Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive.
XHRPOSThttps://1eaf.cardinalcommerce.com/EAFService/v1/saveMouseData
[HTTP/1.1 200  94ms]

XHRPOSThttps://1eaf.cardinalcommerce.com/EAFService/v1/savePageData
[HTTP/1.1 200  96ms]

No strings exist for this error type aboutNetError.js:400:13

Browser Configuration

None

From webcompat.com with ❤️

Please login to edit issues.

View issue on Github

Shortcut: Press l on your keyboard to open the label editor. Shortcut: Press g on your keyboard to be taken to the GitHub view of this page.