www.webdeveloper.com
Results 1 to 8 of 8

Thread: Security risks for using an iframe for external website?

  1. #1
    Join Date
    Jan 2012
    Posts
    74

    Security risks for using an iframe for external website?

    Hi,

    I want to make an iframe that will display an external website but I want to keep a horizontal toolbar at the top with my website logo.

    What are the security risks for my application/server, if I load external sites into an iframe?

    Thanks in advance.

    Alex

  2. #2
    Join Date
    Oct 2006
    Location
    UK
    Posts
    33
    The main problem would be if you didn't want the iframe to interact with the parent or if you did. Attempts by javascript to do so are blocked by some browsers to prevent cross site scripting hacks. Not all browsers will stop it though. So just be aware that in some browsers javascript from the frame could interact with your parent page - which might be a problem if you had something sensitive on there. The flip side being if you need the frame to interact with the parent it won't work in some browsers.

  3. #3
    Join Date
    Jan 2012
    Posts
    74
    Hi neilemrich,

    Thanks for your answer. I don't want the external site to interact with the horizontal parent frame at the top of the page. I just want it to be displayed and have no influence on my website.

    Do you think there is a viable way of blocking anything malicious?

    Thanks a lot

    A

  4. #4
    Join Date
    Oct 2006
    Location
    UK
    Posts
    33
    I don't know off the top of my head how you would stop this. I did a quick google but results seem mostly concerned with how to stop it the other way around - when someone frames your site. I would suggest have a look on google yourself but if nothing comes up know that modern browsers should block it (I'm using Safari which I know does), do you have anything sensitive on that page and do you not trust the sites you are framing. You should be able to make a decision from that. Also if you have cookies you can make them not readable by javascript so that should limit what could be done.

    Neil

  5. #5
    Join Date
    Feb 2012
    Posts
    46
    You should not worry. iFrames are always protected by the browser. If iFrames are from different domains then they cannot communicate unless both are cooperating.

    But if you are trying to put ads on, say, Facebook and load Facebook in a frame, then this is something that Facebook can fight against as they can disable being loaded in an iFrame by checking whether you are trying to leech off them or not.

    There is always a security threat if you don't control both of these websites.

    A child is, in a way, the master as it is being called from top level. The child can create a new iframe to the same domain that the top level site is at, overriding browser cross-domain rules (since browser detects that communication is both ways) and then do whatever it wants on the top level domain with JavaScript.

    How to avoid this? You can't. It is never a good idea to use an iFrame of an untrusted source just like it is never a good idea to include scripts from untrusted sources and so on.

    But if you have control over both of them or trust the iFrame domain then it is ok and you should not worry about visitors being able to mess things up.

    Article about the iFrame Inception is here.

  6. #6
    Join Date
    Jan 2012
    Posts
    74
    Hi,

    I actually want advertisers to enter their website's URL and the users have to stay, say 10 seconds, on the advertiser's website, to be able to view an article on my website.
    So there will be a kind of countdown on the top horizontal bar, just above the iframe with the external site.

    Is there a way to solve this issue in a secure manner?
    I will have to moderate the advertiser's website. Can I use a tool to detect malicious scripts on a third party web page?

    Cheers
    Last edited by alex12345; 02-17-2012 at 09:57 AM.

  7. #7
    Join Date
    Feb 2012
    Posts
    46
    Quote Originally Posted by alex12345 View Post
    Hi,

    I actually want advertisers to enter their website's URL and the users have to stay, say 10 seconds, on the advertiser's website, to be able to view an article on my website.
    So there will be a kind of countdown on the top horizontal bar, just above the iframe with the external site.

    Is there a way to solve this issue in a secure manner?
    I will have to moderate the advertiser's website. Can I use a tool to detect malicious scripts on a third party web page?

    Cheers
    Well, your server itself will be safe, you don't have to worry about that. The only harm that JavaScript can do is to the user. If an advertiser enters a URL of the website that intends to harm your websites visitors experience then you have no protection against that, since you basically allowed them there and if they circumvent iFrame cross-domain rules, then they can do no matter what with the entire DOM tree of that page load.

    But this won't harm your server, so it is purely about the experience on your site by the person visiting it.

    How you can prevent this? By checking and making sure that everything works properly on the site that you load.

    This is no different than crosslinking a picture from web someplace and the owner of the website changing the picture to say F#%K Y$U.

    But whatever you do, don't do it on 'sensitive' pages on your site. If you have login form, don't put login form on the same site where you load those iFrames. Since that frame can place a listener and then start capturing whatever the user enters. If you need to place login too, then have that on a separate page URL and on that URL don't load these ads.

    To sum things up though, to make such an attack work requires a lot of effort for very little real damage. But that's the risk you take by allowing outside sources to your site. If you let a stranger in your house, don't be surprised if it is more difficult to protect yourself.

  8. #8
    Join Date
    Jan 2012
    Posts
    74
    Quote Originally Posted by kristovaher View Post
    But whatever you do, don't do it on 'sensitive' pages on your site. If you have login form, don't put login form on the same site where you load those iFrames. Since that frame can place a listener and then start capturing whatever the user enters. If you need to place login too, then have that on a separate page URL and on that URL don't load these ads.
    Hi,
    Thank you for your answer. When you say "don't put login form on the same site where you load those iFrames", does it mean that I have to put that iframe on a different server? Or a different php file within my directory?

    EDIT: Also, I'll be using $_SESSION there.. Any danger?

    Thank you very much
    A
    Last edited by alex12345; 02-17-2012 at 12:03 PM.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles