Menu
When building a widget that is designed to be embedded on 3rd party websites, there appear to be two schools of thought as to how to do it:
iframesWhen using the iframe method, cross domain requests are not a problem, as the server thinks that the request originates from its own page.
When using the main page's DOM, cross domain requests are an issue, and the server needs to respond with the appropriate CORS headers for it work.
Which of these two methods is more secure, and what security issues should be taken into account in implementing each of these methods?
375
In the world of web development, iframes are a secure method of embedding content from other sites onto your own page. They are simply isolated containers on a web page that are managed completely independently by another host, usually a third party.
Third-party embeds are typically loaded in <iframe> elements on the page. Third-party providers offer HTML snippets often consisting of an <iframe> that pulls in a page composed of markup, scripts, and stylesheets. Some providers also use a script snippet that dynamically injects an <iframe> to pull other content in.
CORS does not improve security. CORS provides a mechanism for servers to tell browsers how they should be accessed by foreign domains, and it tries to do so in a way that is consistent with the browser security model that existed before CORS (namely the Same Origin Policy).
EMBED is basically the same as IFRAME, only with fewer attributes. Formally, EMBED is an HTML 5 tag, but on several browsers it will also work for HTML 4.01, if you are using this. It just cannot be validated. As always HTML 5 is recommended for the pages.
You might find this post interesting - How to protect widgets from forged requests:
You don't want this [widget] to be vulnerable to CSRF so you write an iframe to the page. Based on the origin inheritance rules the parent site won't be able to read the CSRF token. However what about clickjacking (or likejacking )? Because of CSRF you must be within an iframe and there for the x-frame-options cannot help, and the same holds true for frame-busters
Origin (i.e. protocol, domain and port).In the end it depends on the functionality of your widget. What is the consequence of the parent site automatically submitting the form or clicking a button on your widget under the context of the user? If there is a like or +1 button, the hosting page could be fraudulently promoting their site by making the like/+1 be registered with you without the user's knowledge or consent. This would apply to both approaches, only the attack method would differ (i.e. CSRF or Clickjacking).
The accepted answer on the above post has a solution for CSRF vs Clickjacking:
Clicking on the widget needs to open a pop-up window containing a new page -- an iframe is not good enough, it must be a new window -- which is entirely under the control of your web application. Confirm the action, whatever it is, on that page.
Yes, this is somewhat inelegant, but the present Web security architecture doesn't give you any better options.
In summary, the IFrame approach appears to have overall more security and implementing the popup window upon interaction mitigates the Clickjacking risk.
58
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
