Paymill: 3D-Secure bug with at least one bank?

Question

I make payment with Paymill API using 3D secure:

paymill.createToken(params, paymillResponseHandler, tdsInit, tdsCleanup);

this part from documentation complitely don't work:

var tdsInit = function(iframeUrl, cancelFn) {
  var body   = document.body || document.getElementsByTagName('body')[0];
  var iframe = document.createElement('iframe');

  iframe.id               = 'tdsIframe';
  iframe.src              = iframeUrl;
  iframe.width            = 600;
  iframe.height           = 500;
  iframe.style.zIndex     = 0xffffffff;
  iframe.style.background = '#fff';
  iframe.style.position   = 'absolute';

  body.insertBefore(iframe, body.firstChild);
};

So i do this way:

function tdsInit(iframeUrl, cancelFn) {
    var body   = document.body;
    var div3D  = document.createElement("div");
    div3D.id = "div3Dsecure";
    body.insertBefore(div3D, body.firstChild);
    var pareq = decodeURIComponent(iframeUrl.params.PaReq.replace(/\+/g,  " "));
    var termurl = decodeURIComponent(iframeUrl.params.TermUrl.replace(/\+/g,  " "));
    div3D.innerHTML='.$dot.'<form id="3Dsecureform" action="'.$dot.'+iframeUrl.url+'.$dot.'" method="POST"><textarea name="PaReq" style="display:none">'.$dot.'+pareq+'.$dot.'</textarea><input type="hidden" name="TermUrl" value='.$dot.'+termurl+'.$dot.'><input type="hidden" name="MD" value='.$dot.'+iframeUrl.params.MD+'.$dot.'></form>'.$dot.';
    var iframe = document.createElement("iframe");
    iframe.id               = "tdsIframe";
    iframe.src              = "";
    iframe.width            = 600;
    iframe.height           = 500;
    iframe.style.zIndex     = 0xffffffff;
    iframe.style.background = "#fff";
    iframe.style.position   = "absolute";
    iframe.scrolling        = "no";
    body.insertBefore(iframe, body.firstChild);
    document.forms[0].target = "tdsIframe";
    document.forms[0].submit();
};

Payments go ok, but when client do payment using card from Sberbank we have problem : iframe instead of showing 3D Secure page from ACS only make a response about successfully auth this payment.

<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Return to Merchant's site</title>
<SCRIPT>
            function onLoadHandler() {
                document["PAResForm"].submit();
            }
        </SCRIPT>
</head>
<body onLoad="onLoadHandler();">
<BR>
<BR>Processing...
        <FORM NAME="PAResForm" METHOD="post" ACTION="https://ctpe.net/payment/threedsecure?ndcid=8BE948ADB647AF64A9C2640B81DC4B82.lon-vm-fe05&jsessionid=.lon-vm-ps02">
<INPUT NAME="PaRes" TYPE="hidden" VALUE="eJxVkLFuAjEMhl/Fyt7kOAnRwRcGKBtT6YyinI+LlMSVExCP30OEVpW82L/9/bZxe08RbiQlcB7USncKKHseQ74M6ut0eHtXW4unWYj2n+SvQhaPVIq7EIRxUPcprc+bc69XXdd3G2XxQ4TFYmPaBal7NK8U6SHveCS7RvOXPOuNbA8syVXgCTgTsEBiIaBIiXItEJbINxfDCM57lse2UBnqTFC+yYcpeFcXO90sXtyny56qC9EeSfzsctVXia2vKWjaEeZ30Px7wQ9uC2z4"><INPUT NAME="MD" TYPE="hidden" VALUE="8a8394823cd8c78d013cf365e77a3ac5">
</FORM>
</body>
</html>

First I think that there was some mistakes in Sberbank, but client make another payment using another PSP and have 3D secure window from Sberbank :

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<SCRIPT LANGUAGE="JavaScript" SRC="/sberbank/common/global.js"></SCRIPT>
<LINK href="/sberbank/common/va_style.css" rel=STYLESHEET type="text/css">
<title>Verified by VISA - Пароль безопасности</title>
<SCRIPT type="text/javascript">
strBeforeUnload = "Ваша транзакция не завершена!\
Для продолжения, нажмите кнопку 'Отмена' и введите пароль на странице проверки безопасности.";
<!-- page for OTP_SMS -->
var PAMs = new Array();
PAMs[0] = new Array("0","None");

I cannot understand where I do a mistake. Maybe anyone can help me ?

Answer 1

Im sorry but there seems to be an outdated code example in the documentation. Please have a look at the following example for the tdsInit() callback (this is a simplified version of the Bridge.js default implementation of this in order to illustrate the process):

var tdsInit = function tdsInit(redirect, cancelCallback) {
    var url = redirect.url, params = redirect.params;
    var body = document.body || document.getElementsByTagName('body')[0];

    var iframe = document.createElement('iframe');
    body.insertBefore(iframe, body.firstChild);

    var iframeDoc = iframe.contentWindow || iframe.contentDocument;
    if (iframeDoc.document) iframeDoc = iframeDoc.document;

    var form = iframeDoc.createElement('form');
    form.method = 'post';
    form.action = url;

    for (var k in params) {
        var input = iframeDoc.createElement('input');
        input.type = 'hidden';
        input.name = k;
        input.value = decodeURIComponent(params[k]);
        form.appendChild(input);
    }

    if (iframeDoc.body) iframeDoc.body.appendChild(form);
    else iframeDoc.appendChild(form);

    form.submit();
};

Note however that tdsInit and tdsEnd are both optional parameters. You only need these if you want to customize the look&feel of the iframe.