Iframe Security Concerns for the site receiver
Posted on 2009-04-23
I have read many conflicting information concerning security and the use of iframes. However most of the questions have been from the site wishing to connect to another using an iframe. My question is in the reverse, meaning I have a site that is SSL based and is part of an application process for my company, so we ask many questions on this site such as the persons Social Security Information, Date of Birth, etc. All stuff that if compromised would be ripe for Identiy theft. We have many requests from 3rd party partners to include our site within there site using an Iframe to our site. My concern is that this might open up a security problem. My question, is this a valid concern? More specifically can the site page that is hosting our page in thier iframe somehow scrape out this confidential information from our page and database for unknown puposes?, or can a hacker to thier site somehow can access to the information on our page via the iframe from the partner site. These concerns are usually not an issue as normally the person inputing the confidential information on our site is directly connected via thier browser to our site and we use SSL to secure the session. If my concerns are invalid can you please explain why. If they are valid can you please give me some amunition to use when my boss asks me why we shouldnt do this for our third party partners.