Using postMessage with PayForm, AccountForm, Hosted Payment Page, or SSO in an iFrame is easy! You just need to add some code within your application to make use of our postMessage call.
Below you will see a code example in Node on how you would build your data packet and construct the url for the form. Notice that we are adding a field "parent_send_message" with a value of 1 to enable postMessage functionality.
Note: This is not applicable in SSO scenario. For SSO scenarios, the postMessage is always sent if the UI is detected to be in an iFrame.
Receiving the Message
Once a successful API call is made inside the iFrame, the iFrame will fire postMessage using the JSON response from the form as the value of the message.
If you do not expect to receive messages from other sites, do not add any event listeners for message events. This is a completely foolproof way to avoid security problems.
If you do expect to receive messages from other sites, always verify the sender's identity using the origin and possibly source properties. Any window (including, for example, http://evil.example.com) can send a message to any other window, and you have no guarantees that an unknown sender will not send malicious messages. Having verified identity, however, you still should always verify the syntax of the received message. Otherwise, a security hole in the site you trusted to send only trusted messages could then open a cross-site scripting hole in your site.
See https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage for more info on postMessage.