securityiframecors

IFrame security and CORS


I have a generic question which I am trying to get a bit of information on.

I have a server and on this server I have a webform which submits to an API.

A third party company has a server and they need to host my form. As such, they IFrame my form into their page.

Is there any possible way for the third party company to obtain the data entered into the form contained within the iframe? Will their Apache logs record the data? Can they do something on their server which can help them get data?

My server is secure, it wont allow CORS or anything of this sort. The question is whether they can do anything their side to obtain the inputted data?


Solution

  • No then can't access the content of the iframe because it's not in their domain.

    Yes they can trick the user to steal the input : display something that looks like your iframe but is controlled by them, or use Clickjacking.

    And, if they use http, even if your iframe use https, an attacker can do that too and steal their data.