#571071 got the same error as above. They write:

After I enter my VISA information, I get stuck on the screen shown in the attachment. I've left it for over 10 minutes and nothing happens. I am using Firefox 65. I had the same result in Chrome 73. I am using Windows 7. My full user agent string on Firefox:
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0

My card is a Swedish VISA debit card from Nordea with "two-factor" authentication, meaning that when I use the card online I usually get redirected to a page where I need to use an app to sign the transaction. I think it's sometimes referred to as "3D secure" or something like that. I also tried opening up the card to all internet transactions, which disables the two-factor check, but I had the same result.//

This donor also added:

I do use uBlock origin, but the problem persists even with it completely disabled. In Chrome I have no ad blocker at all, and the problem is the same there. I tried again now (in Firefox, with uBlock disabled), and the javascript console logs the following error:

Content Security Policy: The page’s settings blocked the loading of a resource at https://secure5.arcot.com/vpas/admin/CAPServlet?RID=8523&VAA=B (“default-src”).

I recognize the arcot.com domain as something that the 3DSecure two-factor authentication normally uses, so if I had to guess it would be an issue with the CSP headers in the server response.

Im checking with Ingenico right now, but thanks fr-tech for checking if its something internal.

Also, can we change the iframe message, as we have previously done?

OK, FR-tech is pretty sure this is caused by the new access-control header that we added with the payments-wiki upgrade. That header tells the browser to only load frames, images, and scripts from certain domains. We've allowed the payment processor domains, but we didn't include any of the potential places a user might be sent to do a 3ds authentication.

We have one workaround for now - add variant=redirect to the URL for the countries where 3DS is turned on. This is currently just NO, SE, and PL (not IN as I originally though).
That variant will always do a full redirect to the payment processor page, so our access control headers won't interfere with any 3DS authentication.

We can work on a more robust fix that will automatically do the redirection when 3DS is on.
(copied from email)

@MBeat33 yep, that donor had it right on the money! Man, do we have some smart ppl giving us money :)

srsly @Ejegg we might have to give them some Wikistore credit for swag as a thank-you

Change 499800 had a related patch set uploaded (by Ejegg; owner: Ejegg):
[mediawiki/extensions/DonationInterface@master] Ingenico connect: Always redirect when using 3DS

https://gerrit.wikimedia.org/r/499800

Change 499800 merged by jenkins-bot:
[mediawiki/extensions/DonationInterface@master] Ingenico connect: Always redirect when using 3DS

https://gerrit.wikimedia.org/r/499800