Paypal.com Stuck at Security Check

[geraldh]

In the past few days I have been unable to login to Paypal when making Ebay purchases.
After typing in my password I get "Please wait while we perform security check" and then for a few seconds a twirling graphic which then stops and leaves me with just the "Please wait while we perform security check" text.

Code: Select all

Timestamp: 28/04/26 13:08:52
Error: Failed to execute ‘postMessage’ on ‘DOMWindow’: The target origin provided (‘https://www.paypalobjects.com’) does not match the recipient window’s origin (‘https://www.paypal.com’).
Source File: https://www.paypalobjects.com/web/res/763/5fb1f0dbc65744ed7c0eb0889575e/hcaptcha/hcaptchapassive_eval.html?siteKey=884d15d9-b649-4bbb-8d1c-2d6f0eed75eb&locale.x=en_GB&country.x=GB&checkConnectionTimeout=5000&action=signin&domain=hcaptcha.paypal.com&customDomains=endpoint%3Dhttps%3A%2F%2Fhcaptcha.paypal.com%26assethost%3Dhttps%3A%2F%2Fnewassets.hcaptcha.paypal.com%26imghost%3Dhttps%3A%2F%2Fimgs.hcaptcha.paypal.com%26reportapi%3Dhttps%3A%2F%2Faccounts.hcaptcha.paypal.com%26host%3Dhcaptcha.paypal.com
Line: 0

[back2themoon]

Are you blocking HTTP Referers with an extension or some other way? I had the same issue, temporarily disabled the "Referrer Control" extension and their security check went through.

[geraldh]

Thanks for the suggestion. I think I've cracked it. It's an nmatrix/ematrix setting "Spoof HTTP referrer string of third-party requests" which I think is turned on by default? Even if I disable filtering from via the toolbar icon, the "Spoof HTTP referrer string of third-party requests" setting is still active. Unticking this has solved issues with another website that I couldn't view properly as well, so I'll leave that unticked now.

[back2themoon]

Yes, the Referer toggle in eMatrix is only meant as a global switch. If you want finer, per-website control you'd need another extension like the aforementioned Referrer Control.

By the way, there's an interesting decades-old spelling issue here. Referer is correct, but it's often misspelled as Referrer.

[Moonchild]

Referrer checks are a common pitfall for people using extensions that touch them. In today's internet with the use of many different hosts on singular websites it's almost always a bad idea to spoof them.

[back2themoon]

Ok, but why the heck should any website know our previously visited website, i.e. where we come from? I mean, isn't that kind of significant, privacy-wise?

Most of these extensions have an option to "ignore same domain requests" i.e. don't interfere in that scenario which indeed is a sane default and keeps breakage to a minimum. And referer-related breakage isn't really that widespread. Surely the privacy benefit is greater, or am I missing something?

[Moonchild]

Ok, but why the heck should any website know our previously visited website, i.e. where we come from?

Because you don't want external requests to suck up your server bandwidth, for one.
Secondly, for security-sensitive things, you want to ensure inbound linkage is legitimate from expected hosts.

Yes, it's potentially a privacy concern, but not that big of a deal in properly-implemented web clients like browsers. It only shows the target sevrer where you came from if it was, in fact, a hyperlink or other content-navigation request. referrers are empty if you navigate manually from the UI or use a bookmark or what not.

Same-domain settings to ignore referrer spoofing are indeed a good measure to limit breakage, but that still fails when, like Paypal does, own hosts aren't necessarily all on the same domain (which is often a security measure for the server operator as well - decoupling DNS of the core business from any third party in use like a CDN). I know paypal uses "paypalobjects.com" for example for static resources that have to be cached aggressively; "same domain" won't work because it's not "paypal.com".

[BenFenner]

Off-topic:

By the way, there's an interesting decades-old spelling issue here. Referer is correct, but it's often misspelled as Referrer.

Referer is correct, but it's often misspelled as Referrer.

Referer is correct

You have that a bit backwards.
I deal with this all the time in code. I prefer to spell it correctly ("referrer") everywhere possible (variable names, array keys, code comments, general documentation, etc.) and only use the incorrect misspelling ("referer") when I absolutely have to because the spec has that historic typo in it.

[Moonchild]

Off-topic:
Referrer as a concept and word/term is correct, but as pointed out there was a typo when the RFCs were written which cemented it in the spec, and once servers and browsers started using the typoed version with a single R in their header implementations, it couldn't easily be changed, and it's stuck since then. And unlike modern "standards" that are being changed on a saturday whim all the time, the older Internet took them a lot more serious and as unchanging.

[back2themoon]

You have that a bit backwards.

You are right! - I've got it backwards the entire time! Good to know.