通过iframe信用卡付款表格有缺点吗？ [英] Are there drawbacks to credit card payment forms via an iframe?

问题描述

我在很多小型企业电子商务网站上看到的一个常见功能是，当我点击CHECKOUT按钮时，我被带离网站并被重定向到第三方支付网关的网址，如paypal，authorize.net等...在我在第三方网站上付款后，我被重定向回小企业电子商务网站。

A common feature I see in a lot of small business ecommerce websites is that when I click on the CHECKOUT button, I am taken away from the website and redirected to the url of a 3rd party payment gateway like paypal, authorize.net etc... After I make my payment on this 3rd party site, I am redirected back to the small business ecommerce website.

我想简化这个过程我的客户很少。我计划制作一张付款表单，其他人可以通过iframe将其嵌入到他们的网站中。付款表格将在SSL后面。当我的付款表单收到信息时，我会将其传递给像paypal这样的商家网关，并使用成功/失败响应重新加载iframe。

I would like to simplify this process for a few clients of mine. I plan to make a payment form that others can embed into their website via an iframe. The payment form will be behind an SSL. When my payment form receives information, I will pass it along to a merchant gateway like paypal, and reload the iframe with the success/fail response.

是否存在任何重大问题这个iframe方法？我问，因为我不记得支付网关，如paypal提供iframe嵌入代码的付款页面，即使它似乎是一件微不足道的事情提供。如果他们可以向网站所有者提供结帐网址以嵌入他们的网页，他们应该可以轻松地提供iframe嵌入代码。

Are there any major issues to this iframe approach? I ask because I don't recall payment gateways like paypal offering iframe embed codes for their payment pages, even though it seems a trivial thing to offer. If they can offer a checkout url to website owners to embed into their page, they should just as easily be able to offer an iframe embed code.

推荐答案

HTTPS连接安全性的一个基本方面是验证远程方的身份。与某人秘密交换数据是一回事，但您需要知道与谁在一起。

A fundamental aspect of the security of an HTTPS connection is the verification of the identity of the remote party. It's one thing to exchange data secretly with someone, but you need to know with whom.

从技术角度来看，服务器的身份使用其证书进行验证：

From a technical point of view, the server's identity is verified using its certificate:

• 需要信任，即客户端可以验证它是由它信任的机构发布的（RFC 3280/5280）。


• 需要向客户想要与之交谈的实体发出，即需要验证主机名（RFC 2818，第3.1节）。

然而，技术方面只是解决方案的一部分。用户需要能够查看浏览器尝试连接的站点。这是一个用户界面问题，只有用户可以检查浏览器正在尝试做什么，这取决于其UI显示的内容（期望大多数用户使用开发人员工具是不现实的。）

However, the technical aspect is only part of the solution. The user needs to be able to see which site the browser is trying to connect to. This is a user interface problem, and only the user can check what the browser is trying to do, within reason of what its UI is displaying (it's unrealistic to expect most users to use developer tools).

使用iframe会隐藏用户实际连接到该iframe的站点的名称（只有主页的地址显示在地址栏中）。这可以防止用户进行此验证。

Using an iframe hides the name of the site to which the user is actually connected for that iframe (only the address of the main page is displayed in the address bar). This prevents the user making this verification.

此外，如果HTTPS iframe位于HTTP页面内，情况会更糟，在这种情况下用户甚至无法做到检查是否使用了HTTPS。

In addition, it would be even worse if the HTTPS iframe was within an HTTP page, in which case the user couldn't even check that HTTPS is used at all.

嵌入式iframe有一个不好的例子，特别是 3-D Secure ，因为（a）它建议使用iframe和（b）即使没有使用iframe，该名称通常与用户的银行无关，商家网站或信用卡公司。

There are bad example of embedded iframes, in particular 3-D Secure, because (a) it recommends using an iframe and (b) even if an iframe wasn't used, the name generally has nothing to do with the user's bank, the merchant site or the credit card company.

这篇关于通过iframe信用卡付款表格有缺点吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！