Web Application Security
Secure iFrames Nov 03 2014 01:02PM
NightShade (avghacker gmail com) (2 replies)
Was hoping to get some feedback on what everyone feels are best
practices around securing iFrames. I've seen a lot of payment platforms
moving in this direction (ie. Gumroad, Stripe, Memberful) yet with
little documentation around "here is the best way to secure the iFrame
our JavaScript generates".

The best documentation I've seen so far recommends an HTTPS webpage with
the each link pointing to an HTTPS link as well. This way when you
click the link to load a modal / JS for the payment solution it is
"supposedly" done over HTTPS even though the browser won't present a
padlock (assuming the hosting page is HTTP). The other example I've
seen is a simple HTTP page that contains an HTTP link which in turns
opens a secure iFrame....which is probably not a good idea since you are
mixing secure and non-secure content.


This list is sponsored by Cenzic
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!

[ reply ]
Re: Secure iFrames Nov 05 2014 02:54PM
David Ford (david blue-labs org)
Re: Secure iFrames Nov 04 2014 01:43AM
Dave Pyper (davepyper davepyper com) (2 replies)
Re: Secure iFrames Nov 05 2014 02:56PM
David Ford (david blue-labs org)
Re: Secure iFrames Nov 04 2014 06:53PM
Tim Brown (tmb 65535 com)


Privacy Statement
Copyright 2010, SecurityFocus