How does collecting sensitive data using iframes increase security?



  • So this approach seems to be rather popular, particularly among payment processors that provide javascript integrations.

    The added layer of security that "fields in iframe" brings also supposedly reduces the level of PCI compliance required.

    Verygoodsecurity, a tokenization service that also offers forms for sensitive data collection has a rather unusual approach of using a separate iframe for each field of the form, allowing the developer more control of the integration.

    What I was wondering was, what added security does this approach offer and what kind of threats does it mitigate compared with just sending the data to the trusted 3rd party via a web request?

    Am I wrong in thinking that if a bad actor is able to run javascript on your page, then they would be able to intercept the users actions, regardless of iframes, or is that not the case? Can keypresses be intercepted? And if not, they could just strip out the iframes..

    Is it possibly just to make it a little less easy to get at the sensitive data? Maybe it would prevent a non targeted attack, like just listening for anything that looked like credit card details..

    Quotes from PCI standards:

    iFrame provides “sandboxing” to isolate content of the embedded frame from the parent web page, thus ensuring that information is not accessible or cannot be manipulated through various exploits by malicious individuals.

    but then..

    If an attacker has compromised the merchant’s website, however, they can create alternative content for the frame, which then allows completion of the payment process as well as creation of a copy of the cardholder data for the attacker.



  • ... if a bad actor is able to run javascript on your page

    That's exactly the point one want to avoid. Iframes allow third-party sides including script to be part of the visible page without having access to the parts of the page outside the iframes served by this specific third party. This is much more safe than embedding a third party HTML (for the form) and script (for form control, like input checks) directly into the main page.

    If the iframe and main page come from a different origin, then the Same-Origin Policy will severely limit how they can interact with each other. Contrary to that a third-party script included with the script tag has full access to the DOM and could do everything a same-origin script tag could do.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2