Quote Originally Posted by one tall man View Post
Oh, so that was you! I should've guessed by Australian doing a store pick up!
I could have been visiting your area ;)

Quote Originally Posted by one tall man View Post
Someone already sent you a follow up email,
Yeah, apparently 'someone' didn't read the comment I made when I placed the order ;) I wasn't really impressed about that to be honest. What would have happened if I did select something other than local pickup? I suspect the unwanted order could be on its way to me already.

Quote Originally Posted by one tall man View Post
you can ignore it.
I already did.

Quote Originally Posted by one tall man View Post
Doing the refund now.
Got it. Thanks.

Quote Originally Posted by one tall man View Post
You are right, everything in Paypal module is working fine, thanks a 10^6 for your help and patience with my questions!
No problem. It was fortunate that you had some pretty cheap products. I was happy to 'risk' a couple of bucks to try to help out (and confirm my suspicions), but anything more than that you'd have been on your own waiting for a real order, which you could have lost if the problem still existed.

BTW, after doing that, I followed up initiating another order, but this time using firefox, and I still didn't get any warnings about 'clickjacking' - so that remains a mystery. I *suspect* it could be the result something related to how the page is/was rendered - for example, on a smaller screen it is possible that the 'checkout' button was overlapping one of the other buttons (which is basically what 'clickjacking' is all about) so this may still warrant further investigation 'cos it could cause a loss of sales.

I'd also suggest that you do something about the self-signed SSL which causes most/all browsers to produce a scary warning, which will cause lost sales. Personally I'd rather shop on a site with a self-signed certificate than one with a shared certificate (they are more trustworthy), so I had no qualms about clicking through and accepting the certificate - but most people won't. - You should either get the certificate signed by one of the CA's - OR (what I do) is set up to use 'Cloud flare', which will 'hide' the fact that it is self signed (or non existent). If this isn't an option, then don't use SSL at all. Most folk wan't notice or care, and even those that do see the 'not secure' that is displayed in the address bar these days, they are *still* more likely to proceed with the purchase than the scary popup and need to accept the self signed cert before they can continue.

Oh, another option - Most hosts these days provide a free SSL from "lets encrypt' (often without advertising it), so you may find that you can remove your self signed cert, and you will *still* have an SSL enabled site.


Cheers
Rod