My webmaster has an online store on a site with ssl that i would like to feature on my site. He says this could be done with an iframe. Are there any security risks in using an iframe for this shop, in example a middle man attack? Or is this safe for any customers using it because the origin is protected?
Asked
Active
Viewed 5,979 times
1
-
Possible duplicate of [Why are iframes considered dangerous and a security risk?](https://stackoverflow.com/questions/7289139/why-are-iframes-considered-dangerous-and-a-security-risk) – Frank Tan Jul 26 '17 at 20:43
1 Answers
3
Although iFrames are, in theory, loaded securely in their own environment, there are several security issues with them including:
They can be used for ClickJacking attacks. For example a site loads another website in an iframe and then floats username and password text boxes on top of the iframe so people think they are typing these into the website in the iframe, when in fact they are not.
It's not easy to see the website the iframe is loading. For example you load a frame of badbank.com and make it look exactly like goodbank.com. The user has no idea which domain has loaded as there is no address bar nor green padlock.
In general it's suggested for websites to prevent framing using X-Frame-Options or Content Security Policy HTTP Headers to prevent framing.
For sites like you doing the framing (rather than being framed) you are therefore risking your users. So if your site is hacked then this might lead to above issues. Additionally I've worked on a couple of sites where framing suddenly broke when the framed site prevent it from being framed anymore using above headers. Which looks bad on your site.
Finally framing breaks some of the fundamental ways of using the web (e.g. Back button).
All in all I would caution against iFrames.
Barry Pollard
- 40,655
- 7
- 76
- 92