Hi,

heres the problem explanation:

Im on the domain https://www.example.com - theres an Order-Form with the Action https://www.example-otherdomain.com with an other SSL Certificate.

On some conditions i set the form action to https://www.example.com so that it will be posted on our domain, but if the user uses a CreditCart it should get posted to https://www.example-otherdomain.com.

So far so good.

But in some rare conditions, users with CreditCards still posts their form to https://www.example.com.

So my idea is: Is there some Same-Domain-Policy for Javascript/HTTPS to protect the user from phishing? It seems that to set the FormAction to the same domain works, but not to reset it to the external one (with JS).

I cant reproduce this error, so im asking here if someone knows if theres such a problem. It doesnt matter which UserAgent the user has (there are post datas from FF, Chrome, Webkit, IE7/8)

Thx!