I would like to use eWay (http://eway.com.au) as payment gateway but the problem is it doesn't allow much customization on their hosted page. I would like to display products client would be paying for but that is not possible so I thought maybe just whack hosted page into Iframe. But then again, I'm expecting security issues with it, although couldn't exactly pinpoint what exactly could be the problem. I would be grateful if somone could give me a better idea if it would cause any security holes.
+2
A:
The problem with embedding an iframe from another website that is meant to be secure is that the users have no easy way to check that this website is the one they really want to talk to (your website could quite easily fake that iframe to be on one of your sites without them noticing: you could be the man in the middle, or someone between you and them could, if you're not using HTTPS on your site).
If the iframe points to an HTTPS site (most likely to be the case for payments), the users won't be able to check the lock or blue/green bar. It's possible to look into the source of the page to check the URI, but very few users know how to do this, even fewer will go that far.
(Note that, even if it's not a good idea, some big websites do this sort of things anyway.)
Bruno
2010-07-07 02:19:07