-1

As a software developer, a project has come up to migrate a current portal application. The portal allows users to log in and once logged in they provided with a selection of different application that they can opt from a menu. The portal application is written in .aspx webforms. The applications from the menu are also .aspx webforms. Once an application is loaded the menu control is loaded with the application.

The proposed solution is create a new portal application and will be written using .net core along with identity to provide secure login functionality and comply to best practices etc.

The application being written using MVC / .net core / bootstrap to create a mobile first driven environment. Once a user is logged in, the menu is loaded once and I am working towards a solution of loading the applications into an responsive iframe. Allowing the applications to be loaded into an iframe would allow the progressive journey of migrating the webform applications to an MVC format in the future months.

I have read mix reviews about iframes? But nothing really evident that they are safe to use within an internal hosted application. The hosted internal application will allow member users to login and view their specific applications. The things I have read also say they are safe etc but nothing total concrete.

I need to find evidence that iframes are safe regarding PCI / security / clickjacking. What do i require to make the .core application that contains the iframe as secure as possible? Again to re-iterate the proposed application portal will be hosted under SSL that would contain an iframe once logged on to then load hosted internal applications into the iframe. If I am to use an iframe solution then what should I be doing to make everything secure? What would be the alternative to iframe to load an internal application successfully. Again having read everything, i believe div elements will not work as the applications that are loaded have independent jquery under different versions. Also within the iframe, the postback process can happen with no issue.

Any other advise or opinions would be grateful? Thanks.

Paul
  • 119
  • 1
  • 1
  • 11
  • The problem is you are trying to use iframe. Sorry. If it was your choice, bit the bullet and change it. If its a 3rd party forcing you to do it.. tell them to do one, use somebody else. iframe = evil = endless nightmares – Piotr Kula Aug 23 '18 at 14:42
  • there is no 3rd party involved. the application portal will be hosted on an internal server public facing to allow certain key members to login. the issue i face is that the applications that are to be loaded into an iframe once logged on are of mvc webforms and the classic aspx web forrms. 2 different technologies. Ive thought of many different ways to avoid iframes but keep going back to the iframe option due to the issue i am facing. Either i need to think of an alternative solution or make sure the iframe is secure from any potential hack once logged into the portal. – Paul Aug 23 '18 at 15:27

1 Answers1

0

Generally speaking iFrames are safe from client side script attacks due to same origin policy

So if you want to see if they're safe enough for your needs I'd suggest looking at ways to get around this policy. A quick google shows this question asking for ways to get around it.

Sean T
  • 2,414
  • 2
  • 17
  • 23
  • Great advice. I have looked at the links that have been mentioned. As part of my analysis around security i will be viewing the https://app.pluralsight.com/library/courses/asp-dot-net-core-security-understanding/table-of-contents And the sandbox attribute that can be used within the iframe - https://www.w3schools.com/tags/att_iframe_sandbox.asp – Paul Aug 28 '18 at 09:58