Re: Secure iFrames

[David Ford <david () blue-labs org>]

Use CSP, X-Frame-Options, Strict-Transport-Security, X-XSS-Protection,
CORS HTTP headers -- and _everything_ over HTTPS. Those are a great start.

-d

On 11/03/2014 08:02 AM, NightShade wrote:
> Was hoping to get some feedback on what everyone feels are best
> practices around securing iFrames.  I've seen a lot of payment
> platforms moving in this direction (ie. Gumroad, Stripe, Memberful)
> yet with little documentation around "here is the best way to secure
> the iFrame our JavaScript generates".
>
> The best documentation I've seen so far recommends an HTTPS webpage
> with the each link pointing to an HTTPS link as well.  This way when
> you click the link to load a modal / JS for the payment solution it is
> "supposedly" done over HTTPS even though the browser won't present a
> padlock (assuming the hosting page is HTTP).  The other example I've
> seen is a simple HTTP page that contains an HTTP link which in turns
> opens a secure iFrame....which is probably not a good idea since you
> are mixing secure and non-secure content.
>
> Thoughts?
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------