Using postMessage with PayForm, AccountForm, or Hosted Payment Page is easy! You just need to add some code within your application to make use of our postMessage call.
Below you will see a code example in Node on how you would build your data packet and construct the url for the form. Notice that we are adding a field "parent_send_message" with a value of 1 to enable postMessage functionality.
Receiving the Message
Once a successful payment is made inside the iFrame, the iFrame will fire postMessage using the JSON response from the form post as the value of the message.
If you do not expect to receive messages from other sites, do not add any event listeners for message events. This is a completely foolproof way to avoid security problems.
If you do expect to receive messages from other sites, always verify the sender's identity using the origin and possibly source properties. Any window (including, for example, http://evil.example.com) can send a message to any other window, and you have no guarantees that an unknown sender will not send malicious messages. Having verified identity, however, you still should always verify the syntax of the received message. Otherwise, a security hole in the site you trusted to send only trusted messages could then open a cross-site scripting hole in your site.
See https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage for more info on postMessage.