Security risks for using an iframe for external website?
I want to make an iframe that will display an external website but I want to keep a horizontal toolbar at the top with my website logo.
What are the security risks for my application/server, if I load external sites into an iframe?
Thanks in advance.
Thanks for your answer. I don't want the external site to interact with the horizontal parent frame at the top of the page. I just want it to be displayed and have no influence on my website.
Do you think there is a viable way of blocking anything malicious?
Thanks a lot
You should not worry. iFrames are always protected by the browser. If iFrames are from different domains then they cannot communicate unless both are cooperating.
But if you are trying to put ads on, say, Facebook and load Facebook in a frame, then this is something that Facebook can fight against as they can disable being loaded in an iFrame by checking whether you are trying to leech off them or not.
There is always a security threat if you don't control both of these websites.
How to avoid this? You can't. It is never a good idea to use an iFrame of an untrusted source just like it is never a good idea to include scripts from untrusted sources and so on.
But if you have control over both of them or trust the iFrame domain then it is ok and you should not worry about visitors being able to mess things up.
Article about the iFrame Inception is here.
I actually want advertisers to enter their website's URL and the users have to stay, say 10 seconds, on the advertiser's website, to be able to view an article on my website.
So there will be a kind of countdown on the top horizontal bar, just above the iframe with the external site.
Is there a way to solve this issue in a secure manner?
I will have to moderate the advertiser's website. Can I use a tool to detect malicious scripts on a third party web page?
Last edited by alex12345; 02-17-2012 at 10:57 AM.
Originally Posted by alex12345
But this won't harm your server, so it is purely about the experience on your site by the person visiting it.
How you can prevent this? By checking and making sure that everything works properly on the site that you load.
This is no different than crosslinking a picture from web someplace and the owner of the website changing the picture to say F#%K Y$U.
But whatever you do, don't do it on 'sensitive' pages on your site. If you have login form, don't put login form on the same site where you load those iFrames. Since that frame can place a listener and then start capturing whatever the user enters. If you need to place login too, then have that on a separate page URL and on that URL don't load these ads.
To sum things up though, to make such an attack work requires a lot of effort for very little real damage. But that's the risk you take by allowing outside sources to your site. If you let a stranger in your house, don't be surprised if it is more difficult to protect yourself.
Originally Posted by kristovaher
Thank you for your answer. When you say "don't put login form on the same site where you load those iFrames", does it mean that I have to put that iframe on a different server? Or a different php file within my directory?
EDIT: Also, I'll be using $_SESSION there.. Any danger?
Thank you very much
Last edited by alex12345; 02-17-2012 at 01:03 PM.
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)