Using window.postMessage()
Using postMessage with PayForm, AccountForm, or Hosted Payment Page is easy! You just need to add some code within your application to make use of our postMessage call.
Enabling postMessage
Below you will see a code example in Node on how you would build your data packet and construct the url for the form. Notice that we are adding a field "parent_send_message" with a value of 1 to enable postMessage functionality.
Receiving the Message
In the code sample below, you will see some JavaScript adding an event listener that will log the event object and data that was received from the postMessage() call. This logging is just for testing purposes to allow you to see the structure of the data being received. The console.log calls can be removed when your testing is complete (should be replaced with your actual business logic to process the message or respond to it).
Once a successful payment is made inside the iFrame, the iFrame will fire postMessage using the JSON response from the form post as the value of the message.
Security concerns
If you do not expect to receive messages from other sites, do not add any event listeners for message events. This is a completely foolproof way to avoid security problems.
If you do expect to receive messages from other sites, always verify the sender's identity using the origin and possibly source properties. Any window (including, for example, http://evil.example.com) can send a message to any other window, and you have no guarantees that an unknown sender will not send malicious messages. Having verified identity, however, you still should always verify the syntax of the received message. Otherwise, a security hole in the site you trusted to send only trusted messages could then open a cross-site scripting hole in your site.
Additional Information
See https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage for more info on postMessage.