iframe 中的支付网关 (eWay) 页面 - 有任何安全问题吗?

发布于 2024-09-08 14:09:07 字数 240 浏览 9 评论 0原文

我想使用 eWay (http://eway.com.au) 作为支付网关,但问题是它不允许在其托管页面上进行太多自定义。我想显示客户会付费的产品,但这是不可能的,所以我想也许只是将托管页面敲入 Iframe 中。但话又说回来,我预计它会出现安全问题,尽管无法准确指出到底是什么问题。如果有人能让我更好地了解这是否会导致任何安全漏洞,我将不胜感激。

I would like to use eWay (http://eway.com.au) as payment gateway but the problem is it doesn't allow much customization on their hosted page. I would like to display products client would be paying for but that is not possible so I thought maybe just whack hosted page into Iframe. But then again, I'm expecting security issues with it, although couldn't exactly pinpoint what exactly could be the problem. I would be grateful if somone could give me a better idea if it would cause any security holes.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

擦肩而过的背影 2024-09-15 14:09:07

从另一个本应安全的网站嵌入 iframe 的问题在于,用户没有简单的方法来检查该网站是否是他们真正想要与之交谈的网站(您的网站可以很容易地将该 iframe 伪造为一个网站)在他们没有注意到的情况下访问您的网站:您可能是中间人,或者您和他们之间的某个人也可能(如果您没有在网站上使用 HTTPS)。

如果 iframe 指向 HTTPS 站点(最有可能是支付情况),用户将无法检查锁或蓝/绿栏。
可以查看页面的源代码来检查 URI,但很少有用户知道如何执行此操作,甚至更少的用户会做到这一点。

(请注意,即使这不是一个好主意,一些大网站还是会做这种事情。)

The problem with embedding an iframe from another website that is meant to be secure is that the users have no easy way to check that this website is the one they really want to talk to (your website could quite easily fake that iframe to be on one of your sites without them noticing: you could be the man in the middle, or someone between you and them could, if you're not using HTTPS on your site).

If the iframe points to an HTTPS site (most likely to be the case for payments), the users won't be able to check the lock or blue/green bar.
It's possible to look into the source of the page to check the URI, but very few users know how to do this, even fewer will go that far.

(Note that, even if it's not a good idea, some big websites do this sort of things anyway.)

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文