IFrame安全性和CORS [英] IFrame security and CORS

问题描述

我有一个通用的问题，我试图获得一些信息。

I have a generic question which I am trying to get a bit of information on.

我有一台服务器，在这台服务器上我有一个webform，它提交给一个API。

I have a server and on this server I have a webform which submits to an API.

第三方公司有一台服务器，他们需要托管我的表格。因此，他们将我的表格IFrame到他们的页面中。

A third party company has a server and they need to host my form. As such, they IFrame my form into their page.

第三方公司是否有可能获得输入iframe中包含的表格的数据？他们的Apache日志会记录数据吗？他们可以在他们的服务器上做些什么来帮助他们获取数据吗？

Is there any possible way for the third party company to obtain the data entered into the form contained within the iframe? Will their Apache logs record the data? Can they do something on their server which can help them get data?

我的服务器是安全的，它不会允许CORS或任何类似的东西。问题是他们是否可以做任何事情来获取输入的数据？

My server is secure, it wont allow CORS or anything of this sort. The question is whether they can do anything their side to obtain the inputted data?

推荐答案

否然后无法访问iframe的内容，因为它不在其域中。

No then can't access the content of the iframe because it's not in their domain.

是他们可以诱骗用户窃取输入：display 看起来像你的iframe但由他们控制的东西，或者使用点击劫持。

Yes they can trick the user to steal the input : display something that looks like your iframe but is controlled by them, or use Clickjacking.

并且，如果他们使用http ，即使您的iframe使用https，攻击者也可以那个并窃取他们的数据。

And, if they use http, even if your iframe use https, an attacker can do that too and steal their data.

这篇关于IFrame安全性和CORS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！