What this page tests: a common real-world pattern where the
merchant's own page (this one) embeds a PSP's hosted payment form in
an
<iframe>. Branding controls in the harness bar
above only affect this outer document. The payment form
inside the frame below is a separate HTML document
(inner-checkout-frame.html) with its own DOM, and its
own harness bar.
Same-origin frame access check: checking…
↑ separate document, loaded via <iframe src="inner-checkout-frame.html">
How to test this scenario:
- Cloudflare Worker — should work unmodified. Point a Worker
route at
inner-checkout-frame.html's own URL directly (not at the parent page). The Worker rewrites that HTML response at the edge regardless of how or where it's embedded, so this is the recommended path for iframe-based checkouts. - JavaScript SDK — will not reach the iframe if the
snippet is only added to this parent page. The SDK tag must be added
directly to
inner-checkout-frame.html, which only works if you (or the PSP) control that document's source — not possible for most third-party-hosted iframe checkouts.