How to create a secure embeddable HTML form?

Question

I have an https website and I want to let other websites embed one of the pages on my website that lets users of my service log in and submit a form, similar to Paypal's payment iframe or Plaid's Link. Many such services exist, and from what I have found they all seem to be using iframes. Of course, I have heard of vulnerabilities with iframes, such as clickjacking, which make me think twice about having a user enter their login credentials and submit a form within an iframe.

But there's lots of companies that are using iframes to provide embeddable components or widgets for other domains to use, and presumably these are secure enough. So is it safe for me to enable iframing (X_FRAME_OPTIONS) for this page on my website, or is there another way? Are clickjacking, keyjacking, and other such attacks a real threat for this use case, and if so what can I do to mitigate these dangers?

Answer 1

There's no really good way to do this. The problem is less clickjacking - though that is a risk - and more that the user has no way to know whether the frame is genuine, or a phishing site. Anybody who wants to can put up an iframe that looks like yours, and just steals the user's credentials for your site if anybody thinks that this might be a real instance of your login page and enters them. To avoid that risk, you shouldn't ever lead your users to expect it's safe to enter their credentials on any third-party site!

The only way to get around that is to use a pop-up, a new window (tab, on modern browsers), or a top-level navigation (in all cases, to a login page on your domain). You'll notice that PayPal does this when signing in; they're not the only one.