IAV Token error


(Adam Kay) #1

Hello!

When we call dwolla.iav.start in our Ionic Framework app, we receiving this error:

"Error parsing header X-XSS-Protection: 1; mode=block, 1; mode=block: expected semicolon at character position 14. The default protections will be applied.”

Here is how our javascript looks:

// start the iav process with fresh iav token…

      dwolla.iav.start(resp.data.iavToken, {
        container: 'iavContainer',
        stylesheets: [
          'https://fonts.googleapis.com/css?family=Lato&subset=latin,latin-ext'
        ],
        fallbackToMicrodeposits: true
      }, function (err, res) {
        console.log('Error: ' + JSON.stringify(err) + ' -- Response: ' + JSON.stringify(res))
      });

this call never receives the callback response when a valid iav token is passed in
when I pass an invalid token, it actually gets an error back saying invalid token.
When I pass a valid token a second time, I receive an invalid token error. This makes me think that the api is doing something to invalidate the token before returning the X-XSS issue.

Any thoughts? Thank you!


(Stephen Ausman) #2

Hey Adam,

dwolla.js uses window.postMessage to communicate with an iframe hosted by www.dwolla.com. It sounds like a security feature may be blocking this communication. I did some Googling and it sounds like you may be able to whitelist the domain:

Hopefully that does it.


(Cody Mahan) #3

Hey @stephen - here is my Content Security Policy meta tag:

<meta http-equiv="Content-Security-Policy" content="default-src * 'unsafe-eval' 'unsafe-inline';
                         script-src * 'unsafe-eval' 'unsafe-inline';
                         connect-src * 'unsafe-eval';
                         object-src 'self';
                         style-src * 'unsafe-inline';
                         media-src *;
                         frame-src 'self' https://uat.dwolla.com;">

I explicitly added frame-src 'self' https://uat.dwolla.com; but I am still getting the same Error:
Error parsing header X-XSS-Protection: 1; mode=block, 1; mode=block: expected semicolon at character position 14. The default protections will be applied.
This is the url that is causing the error:
https://uat.dwolla.com/Fi/Token/Search/ae2e99ca-97df-4413-80fc-1e78924f502e


(Cody Mahan) #4

Update - it might be that this is not actually causing an issue. I am able to see the iframe now, regardless of the error. Will update once I figure it out completely


(Hardik) #5

Does your issue solved?
I am also facing the same issue


(Cody Mahan) #6

@Hardik_SA - no unfortunately I could not get Dwolla to work. We ended up switching to Plaid+Stripe using plaid link. Their support is better as well.


(Hardik) #7

@cwmahan Okay Thanks for the suggestion


(Spencer Hunter) #8

@Hardik_SA, Can you output the error message you are seeing and we help out with debugging the error?


(Hardik) #9

@spencer
I am having this error in the console:
‘InvalidToken:1 Error parsing header X-XSS-Protection: 1; mode=block, 1; mode=block: expected semicolon at character position 14. The default protections will be applied.’

I am using the example code of:
https://docsv2.dwolla.com/#create-a-funding-source-for-a-customer - Initiate IAV flow - with sandbox url
I have also created localhost server to run this html file, the following error comes when i click the start button in the code


(Nickforddesign) #10

I am also seeing the same message while testing Dwolla.js in the sandbox environment in Chrome:

Error parsing header X-XSS-Protection: 1; mode=block, 1; mode=block: expected semicolon at character position 14. The default protections will be applied.

Chrome points to line 1 of the response from https://uat.dwolla.com/Fi/Token/InvalidToken


(Stephen Ausman) #11

Hey @nickforddesign,

You should no longer see that warning in UAT, however it looks like the issue is with the IAV token you’re using. Usually when this happens it’s because the IAV token has already been used before, or the IAV token was created for another environment.

If you’d like to share some code examples with us (minus any sensitive information) we can try to reproduce the issue. Hopefully that helps!


(Nickforddesign) #12

Thanks @stephen!

I’m curious, what are the conditions for an IAV token expiring? I believe only mention of token expiration in the docs is on this page: https://developers.dwolla.com/resources/funding-source-verification/instant-account-verification.html, which just says to request a new token upon receiving an InvalidIavToken response.

We ended up solving this by always requesting a new IAV token when a user is beginning an IAV flow, but we’re curious about the expiration conditions, as they are apparently not documented.

Thanks again!