SuiteCommerce 2020.1.x Minor Releases: SuiteScript Rollback, jQuery 3.5.1, and Iframe Security Controls

Overview

Oracle shipped twelve minor patches (2020.1.1 through 2020.1.12) for SuiteCommerce and SuiteCommerce Advanced during the 2020.1 release cycle. Most are bug fixes for checkout, payment processing, and the storefront UI, but several carry code-level implications that developers and admins should act on.

Key changes

SuiteScript 2.0 rollback — OrderHistory and ReturnAuthorization (2020.1.1.1)

The OrderHistory and ReturnAuthorization modules were migrated to SuiteScript 2.0 in the 2020.1.0 base release. That migration broke field sets, so both modules were rolled back to SuiteScript 1.0 in 2020.1.1.1. If you extended or customized either module and adapted your code for the 2.0 APIs, verify that your customizations still function under SuiteScript 1.0. Oracle's release notes do not indicate when a second migration attempt will occur.

Iframe security controls on the Configuration Record (2020.1.2 / 2020.1.4)

A Security subtab was added to Configuration Record > Advanced. It controls whether storefront pages can be rendered inside a frame (e.g., <iframe>). The default policy disallows framing by all domains except your own.

• 2020.1.2 — subtab introduced; default not yet enforced.
• 2020.1.4 — default enforcement activated.

If your site is embedded in third-party frames (kiosks, partner portals, etc.), you must update this setting or those integrations will break.

jQuery upgraded to 3.5.1 (2020.1.4)

The bundled jQuery library was updated from an older version to 3.5.1. jQuery 3.5.x includes breaking changes to jQuery.htmlPrefilter() and tightened XSS protections. Any SuiteCommerce extensions or SCA customizations that rely on deprecated jQuery APIs (e.g., .andSelf(), positional selectors in :first/:last, or self-closing HTML tag shortcuts) may fail silently or throw errors after this update.

Image zoom option added (2020.1.4)

A new Enable Zoom for Images checkbox was added to the Shopping Catalog Tab of the Configuration Record. Enabled by default — product images on the PDP and Quick View zoom on hover. Disable it if zoom behavior conflicts with custom image-handling scripts.

Window.postMessage for 3D Secure 2.0 gateway challenges (2020.1.12)

Merchants can now communicate payment gateway challenges (e.g., 3DS2 authentication prompts) using Window.postMessage(). This replaces direct DOM manipulation patterns and is relevant if you have custom payment-flow scripts that intercept or extend the checkout payment step.

Notable bug fixes by area

Checkout and payment processing

• 3D Secure 2.0 credit card authentication failures during checkout (2020.1.8, 2020.1.12).
• Payment Instruments feature causing blank My Account and Checkout pages (2020.1.2) and AVS Street/Zip match failures with "Unsupported by processor" errors (2020.1.11.1).
• Credit card info saved despite Save Credit Card Info by Default preference being disabled when paying open invoices from My Account > Billing (2020.1.6).
• One-page checkout: shipping address management failures (2020.1.5), billing/shipping address defaulting to one address (2020.1.1), blank shipping sections with multi-address shipping (2020.1.10), and "Please select a credit card" errors on Back button (2020.1.11.1).
• External payment methods failing with "Payment method is not supported for this gateway" (2020.1.1).
• Quote Detail Page allowing order completion without a billing address (2020.1.4).

Google Tag Manager data layer

• Missing Product Internal ID on productList and productView events (2020.1.1).
• cartView event not firing on Cart page when using Criteo service (2020.1.2).
• Incorrect SearchItem-end event (2020.1.8).

SEO

• Instrumentation module negatively impacting SEO page generator (2020.1.1.1).
• ERR_TOO_MANY_REDIRECTS on URLs with multiple fragments, caused by 301 redirect loops (2020.1.1).
• QuotaExceededError: DOM Exception 22 from exceeding browser localStorage capacity on secure domains with CDN enabled (2020.1.1).

Extension Developer Tools

• Customizing LoginRegister.Register.View via addToViewContextDefinition threw INVALID_PARAM — the view ID was not registered in the component (2020.1.3).

My Account

• Blank My Account page for customers with more than 1000 invoices, throwing Uncaught SyntaxError: Unexpected token '<' on MyAccountEnvironment.Service.ssp (2020.1.3).
• Purchase History showing incorrect quantities (2020.1.1, 2020.1.9).
• Pending/partially-paid invoices not appearing in the Invoices menu (2020.1.1).
• Cash sales from SuiteCommerce InStore missing from Purchase History (2020.1.2).

HTTP security headers

• 2020.1.4 ensured HTTP security headers are included on all SuiteCommerce and SCA pages. If you test with header-sensitive tooling (CSP scanners, etc.), re-baseline after this patch.

Other storefront fixes

• Currency conversion error on return authorizations — total less than original sales order amount (2020.1.6).
• Font Awesome icons rendering as question marks on non-UTF-8 sites, caused by Extension Manager (2020.1.4).
• SMT Theme Skin Manager not saving custom skin changes (2020.1.4).
• Duplicate Item Search API calls for relateditems_details and correlateditems_details (2020.1.9).

What to do

1. Check OrderHistory / ReturnAuthorization customizations. If you adapted these modules for SuiteScript 2.0, verify they work under the 1.0 rollback. Test field set rendering end-to-end.
2. Review iframe embedding. If your storefront is rendered in third-party frames, go to Configuration Record > Advanced > Security and whitelist the required domains. The deny-all default is enforced as of 2020.1.4.
3. Audit jQuery usage. Search your SCA customizations and extensions for deprecated jQuery 2.x/3.x APIs. Validate against jQuery 3.5.1 migration guides. Pay particular attention to jQuery.htmlPrefilter() changes.
4. Retest GTM integrations. If you rely on productList, productView, cartView, or SearchItem-end data-layer events, confirm they fire correctly after applying these patches.
5. Retest 3DS2 payment flows. If your gateway uses 3D Secure 2.0, run through end-to-end checkout on a sandbox to confirm authentication prompts work. Review any custom payment scripts for compatibility with the new Window.postMessage() approach (2020.1.12).
6. Validate Extension Developer Tools customizations. If you use addToViewContextDefinition on LoginRegister.Register.View or similar views, confirm the fix resolves the INVALID_PARAM error in your environment.
7. Re-baseline security scans. HTTP security headers are now injected on all pages (2020.1.4). Update any CSP or header-compliance baselines.