Shopify has been pushing for the headless commerce.
So I have an implementation that requires 3DS.
According the graphql api I get the returnurl (which is the challenge page) : this page is being sent with x-frame-options : DENY. so you cannot embed this window in an iframe (frictionless flow) . HOWEVER this is supported by the emvco standard
I really would like a professional support from shopify to discuss the way they did implement their 3DS. The emvco standard tells explicitly that the 3DS challenge window can be put into an iframe but Shopify’s implementation won’t let you do that as they are sending some X-Frame-Option : DENY in the 3DS challenge page also .. they should provide the return url as any standard implementation.
Open for discussion !
Stripe implementation supports the iframe too. https://stripe.com/docs/payments/3d-secure as I already know, Shopify uses stripe in their backend, why this is not supported ?