I have the page to render some content and I allow it to be embedded at any third party page, so I can't use X-Frame-Options. One of the requirements is to ask user for login/password when content requires authentication. Currently it will open popup, but I don't like that. I would like to create nice dialog with JavaScript inside of the same window. Since my page might be loaded inside of an iframe, what are security implications of doing so?
Asked
Active
Viewed 1.0k times
1 Answers
4
If you care about security, don't use iframe.
How can your user trust your iframe to enter their precious login information when the other site can use some simple css to put other elements above your iframe?
https://stackoverflow.com/questions/4378361/placing-content-over-an-iframe
If you want security and provide a login solution that can be used by many websites, use OAuth2/OpenID which will require the users to do a full redirect to your https loging page. This is the only solution if you want to provide login for multiple sites that are not all on the same domain.
-
yep, good answer. Take a look at some examples here if you want :) https://steemit.com/security/@gaottantacinque/steemit-security-check-iframe-tricks – Gabe Jun 16 '18 at 05:55
-
1If you are the owner of the authentication server, the iframe doesn't pose a threat. But you need to be strict on which iframes you allow by setting the X-FRAME-OPTIONS header with a fitting restriction – polly Aug 03 '18 at 10:01