访问iframe中的表单数据 [英] Accessing form data inside iframe

问题描述

是否有可能从外部源访问iframe内部的JavaScript数据？

例如：我在example.com上有一个网上商店。如果我使用带有iframe集成的支付网关stripe.com https://stripe.com/checkout ，是否可以访问输入数据用户插入iframe弹出间隔1s？

我想确保我的情况一入侵我的网站，一个不能访问客户的付款细节。 / b>

解决方案

是否有可能通过外部来源的iframe内的JavaScript访问表单数据？

没有。这是由相同的来源政策。

如果我使用支付网关stripe.com与iframe集成 https://stripe.com/checkout 是否可以访问输入数据用户插入

不是以一种简单的JS方式，但是已经发生了一些针对iframe中内容的clickjacking攻击。请参阅 http://www.contextis.com/documents/5/Context- Clickjacking_white_paper.pdf

然而，在这种情况下，这一点是没有意义的，因为：

我想确保我的个案侵入我的网站，但无法存取客户的付款详情。

这是不可实现的。如果您的网站受到了攻击（通过XSS在服务器或客户端），攻击者可以更改父页面，使其弹出假结帐iframe，而不是使用真正的Stripe脚本，该脚本会泄漏输入的付款详细信息。 / p>

这是所有基于iframe的结账的风险：用户无法验证iframe的来源和HTTPS详细信息，因此他们必须信任父页的信息（商家）。

Is it possible to access form data with javascript inside iframe from external source?

For example: I have a web store on example.com. If I use payment gateway stripe.com with iframe integration https://stripe.com/checkout is it possible to access input data user inserts in iframe popup on interval 1s?

I would like to be sure that i case one hacks into my website, one cannot access payment details of customers.

解决方案

Is it possible to access form data with javascript inside iframe from external source?

No. This is prevented by the Same Origin Policy.

If I use payment gateway stripe.com with iframe integration https://stripe.com/checkout is it possible to access input data user inserts

Not in a straightforward JS way, but there have been a number of clickjacking attacks against content in iframes. See for example http://www.contextis.com/documents/5/Context-Clickjacking_white_paper.pdf

However in this case the point is moot, as:

I would like to be sure that i case one hacks into my website, one cannot access payment details of customers.

This is not achievable. If your site is compromised (either at the server or at the client via XSS), the attacker can change the parent page to make it pop up a fake checkout iframe instead of using the real Stripe script, one that leaks entered payment details.

This is a risk with all iframe-based checkouts: the user can't verify the origin and HTTPS details of an iframe, so they have to trust those of the parent page (merchant).

这篇关于访问iframe中的表单数据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！