Question regarding SqPaymentForm in Sandbox mode

Hi again!

I’m working through integrating the Catalog, Payments, Orders and Customers API’s for an e-commerce site. I’m expecting the workflow to go something like this:

  1. Create Order based on shopping cart line items populated with Catalog Item ID’s
  2. Ask for user’s information (email, name, address) and create Customer ID. Associate Customer ID with Order.
  3. Ask for Payment using SqPaymentForm and create Payment ID Associate Payment ID with Order.

Approximately… I’m working solely within the sandbox environment, since I’m developing and testing the thing … and based on that, I get the Square SqPaymentForm javascript file from this url: “https://js.squareupsandbox.com/v2/paymentform” which is different than I will be getting it from when I move to production. I mention this only because it shows that there are (or, at least conceivably there could be) different versions of the javascript served for the sandbox environment than the production one.

I am using https: at all times when communicating with Square, to ensure security. However, in my development environment, i’m using XAMPP and running a local apache and PHP service and so on, for ease of testing, so I’m just using http: to serve my testing web pages. When I load up the SqPaymentForm I get this error:

jquery-1.11.1.min.js:4 Uncaught HttpsRequiredError: SqPaymentForm can only be embedded on sites that use HTTPS.
See: https-developer.squareup.com/docs/payment-form/troubleshooting#the-sqpaymentform-iframe-is-not-loading
at St._initialize (-)
at new St (-)
at eval (eval at (-), )
at eval (anonymous)
at -
at Function.globalEval (-)
at text script ()
at Pc (-)
at x (-)
at b (-)

As you may be aware, getting SSL working in a development environment is troublesome because you have to jump through hoops like a trained baboon to get a properly signed and trusted certificate for a development machine, and Chrome just turns up its nose at any self-signed certificates you generate, and falls back to using http. So my question is: is it possible to have a “sandbox-only” version of the SqPaymentForm javascript which doesn’t to make sure it’s embedded in a page served by https? Of course, all communications with Square’s REST API will continue to be on secure sockets, but I’m not sure that I understand why, in the sandbox environment, you can’t have it work with just http.

One other query, given the workflow above, I will have (from getting the shipping address) the customer’s postal code, which is one of the fields that is required on the SqPaymentForm. Is there a way to pre-load this with the zip/postal code that I have from the shipping address when the payment form is rendered? It would be a great way to reduce friction for the customer.

– update: never mind this last one, I found it with a little digging.

Thanks for the feedback, this sounds like a very genuine feature request, so I’ll update it as such. Unfortunately in the current state, the Square Payment Form will either work with HTTPS or a server hosted using literally localhost. However, if you have a local server most likely it’s something besides localhost in which case we see it as needing HTTPS, so this won’t work currently. I can definitely see how this would be useful, though!