Advertising Programming Security

Klarna might not work with your ads on Facebook / Instagram

If you are using the Facebook or Instagram app (meaning, on your smartphone) then that link is actually opened in Meta’s own browser that is built-in inside the app. I.e it’s not opening in Safari or Chrome.

The FB/IG in-app browser can return errors due to CSP for embedded Klarna checkout for some clients, while working perfectly in system browser (Chrome, Safari etc).

What is CSP?

CSP are security policies that a browser uses that allows/disallows cross-site interaction. Your site has to explicitly allow interaction with some of Klarna’s domains to make the APIs work (i.e. so that your site and their system can communicate.)

Klarna uses different API endpoint (domain) for Facebook and Instagram’s in-app browser

The problem is that the domain shown in Klarna’s API dev docs are not the only ones. What they actually are can vary depending on geographical location etc.

It ALSO varies based on browser used. I found the hard way that for FB/IG in-app browser they use a different API domain. This means that everything works fine on both Android and Apple UNLESS you clicked on an ad on FB/IG and are now using FB/IG’s in-app browser. In this precise scenario some of Klarna’s resources will not load because it’s coming from a new domain that you have not encountered before (and therefore did not set CSP rules necessary for communication to happen).

Visually, things looked normal because the initial steps were loaded from a commonly used domain. So the forms, images, CSS etc did load. It was the final step of confirming payment with Klarna that failed.

It’s a precise scenario that needs to happen to get this problem.

For the ecom, it looks just like an initiated but abandoned checkout.

Normal testing is not enough

We had clients complaining for a while that Klarna did not work, but we did get orders with Klarna so we assumed that those clients just maxed out their credit with Klarna. We also made regular orders to verify everything works, but since we did not reproduce the scenario above, we did not see any issues.

This has likely been an issue for weeks, maybe even months. Hard to say because it’s browser error.

Lots of clients got a cart recovery email and opened in system browser and it worked. So this sequence of events also helped to cover up what was happening.

Klarna provides no help

Klarna, for some reason, does not supply this information clearly. Their dev docs doesn’t seem to mention this at all. Their support have no idea what you are talking about and you have to escalate to even get info.

Looking around, I’ve found there are others that has faced this issues, and they too are frustrated with Klarna for silently introducing new API domains.

Since this issue can be very difficult to notice, businesses that advertise on Facebook and Instagram could be losing substantial amounts while their system tests show that Klarna is working perfectly fine.

Until now, Klarna has still not provided a list of domain that their checkout uses. Instead they refer to their dev docs that absolutely does not provide sufficient info.
Instead, their “solution” is to allow everything from Klarna.

This is what we got from Klarna:

  • frame-src *
  • script-src * *
  • img-src * * *

For your techies out there, you know that wild cards is normally something that you don’t want to use.

This is not the first time that Klarna totally fails to communicate changes to their clients.