Stripe: Open payment gateways in new window when shown in widget

src/pretix/plugins/stripe/payment.py

@@ -1,12 +1,14 @@
 import hashlib
 import json
 import logging
+import urllib.parse
 from collections import OrderedDict
 
 import stripe
 from django import forms
 from django.conf import settings
 from django.contrib import messages
+from django.core import signing
 from django.template.loader import get_template
 from django.utils.translation import ugettext, ugettext_lazy as _
 
@@ -371,7 +373,17 @@ class StripeMethod(BasePaymentProvider):
         order.payment_info = str(source)
         order.save(update_fields=['payment_info'])
         request.session['payment_stripe_order_secret'] = order.secret
-        return source.redirect.url
+        return self.redirect(request, source.redirect.url)
+
+    def redirect(self, request, url):
+        if request.session.get('iframe_session', False):
+            signer = signing.Signer(salt='safe-redirect')
+            return (
+                build_absolute_uri(request.event, 'plugins:stripe:redirect') + '?url=' +
+                urllib.parse.quote(signer.sign(url))
+            )
+        else:
+            return str(url)
 
 
 class StripeCC(StripeMethod):
@@ -436,7 +448,7 @@ class StripeCC(StripeMethod):
                     if source.status == "pending":
                         order.payment_info = str(source)
                         order.save(update_fields=['payment_info'])
-                        return source.redirect.url
+                        return self.redirect(request, source.redirect.url)
             except stripe.error.StripeError as e:
                 if e.json_body:
                     err = e.json_body['error']

src/pretix/plugins/stripe/templates/pretixplugins/stripe/redirect.html

@@ -0,0 +1,32 @@
+{% load compress %}
+{% load i18n %}
+{% load staticfiles %}
+<!DOCTYPE html>
+<html>
+<head>
+    <title>{{ settings.PRETIX_INSTANCE_NAME }}</title>
+    {% compress css %}
+        <link rel="stylesheet" type="text/x-scss" href="{% static "pretixbase/scss/cachedfiles.scss" %}"/>
+    {% endcompress %}
+    {% compress js %}
+        <script type="text/javascript" src="{% static "jquery/js/jquery-2.1.1.min.js" %}"></script>
+    {% endcompress %}
+</head>
+<body>
+    <div class="container">
+        <h1>{% trans "The payment process has started in a new window." %}</h1>
+
+        <p>
+            {% trans "The window to enter your payment data was not opened or was closed?" %}
+        </p>
+        <p>
+            <a href="{{ url }}" target="_blank">
+                {% trans "Click here in order to open the window." %}
+            </a>
+        </p>
+        <script>
+            window.open('{{ url|escapejs }}');
+        </script>
+    </div>
+</body>
+</html>

src/pretix/plugins/stripe/urls.py

@@ -2,11 +2,12 @@ from django.conf.urls import include, url
 
 from pretix.multidomain import event_url
 
-from .views import ReturnView, refund, webhook
+from .views import ReturnView, redirect_view, refund, webhook
 
 event_patterns = [
     url(r'^stripe/', include([
         event_url(r'^webhook/$', webhook, name='webhook', require_live=False),
+        url(r'^redirect/$', redirect_view, name='redirect'),
         url(r'^return/(?P<order>[^/]+)/(?P<hash>[^/]+)/$', ReturnView.as_view(), name='return'),
     ])),
 ]

src/pretix/plugins/stripe/views.py

@@ -4,9 +4,10 @@ import logging
 
 import stripe
 from django.contrib import messages
+from django.core import signing
 from django.db import transaction
-from django.http import Http404, HttpResponse
-from django.shortcuts import get_object_or_404, redirect
+from django.http import Http404, HttpResponse, HttpResponseBadRequest
+from django.shortcuts import get_object_or_404, redirect, render
 from django.urls import reverse
 from django.utils.decorators import method_decorator
 from django.utils.functional import cached_property
@@ -28,6 +29,21 @@ from pretix.plugins.stripe.payment import StripeCC
 logger = logging.getLogger('pretix.plugins.stripe')
 
 
+@xframe_options_exempt
+def redirect_view(request, *args, **kwargs):
+    signer = signing.Signer(salt='safe-redirect')
+    try:
+        url = signer.unsign(request.GET.get('url', ''))
+    except signing.BadSignature:
+        return HttpResponseBadRequest('Invalid parameter')
+
+    r = render(request, 'pretixplugins/paypal/redirect.html', {
+        'url': url,
+    })
+    r._csp_ignore = True
+    return r
+
+
 @csrf_exempt
 @require_POST
 def webhook(request, *args, **kwargs):