homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / HTML
Forum Library, Charter, Moderators: incrediBILL

HTML Forum

Does this sound totally unsafe to you or am I just crazy?
Javascript opening an iframe to pull in content from another server

10+ Year Member

Msg#: 3861210 posted 8:10 pm on Mar 2, 2009 (gmt 0)

Does that sound crazy or am I just uninformed? We have contracted out with a vendor to do a site. I insisted that all forms be done in house on our own servers. So, I create some forms that have the same template as the site being hosted elsewhere. The site, while hosted elsewhere does have a sub-domain of ours as an address. We're www.example.com and the site they host is denoted in our DNS as location.example.com. I was asked by one of the developers of the new site to remove the template from the forms I had done because they were going to use a pop-up to display the form. I look at what they're talking about and here they have a link that calls a javascript function to create a pop-up iframe that then displays the form! First, there are absolutely NO visual cues that the form itself is secure as it appears in an iframe. No lock, no https: in the address bar. Second, is it just me or does javascript + iframe + different server = security disaster? This is the issue I'm more concerned about right now. Thoughts? Am I a) crazy, b) uninformed, or c) was I informed correctly at some point but this is no longer a problem?



10+ Year Member

Msg#: 3861210 posted 9:58 pm on Mar 2, 2009 (gmt 0)

The whole setup does sound pretty weird. Is there any reason they can't or won't just link to the form on your server using https? As in, "<a href="https://www.example.com/ourform.html">Contact Us</a>"?

I'm assuming you have a good reason for insisting that the forms live on your server, and that you have SSL/secure cert set up properly, and that you have in place a post-processing script to do whatever it is you're going to do with the forms.


10+ Year Member

Msg#: 3861210 posted 10:38 pm on Mar 2, 2009 (gmt 0)

I asked them to use a straight link to the form, which, they finally did. I have concerns about the vendor that was chosen to produce the site. Our forms are on a secured server, with an SSL certificate on the appropriate site and solid form validation. That the vendor would allow for such a thing without warning the client is unfathomable to me. Did he not think that form security, or at least, recognition by the end user of said security, would be an issue? They wanted the nifty pop-up because, well, it looks nifty. I prefer safety over nifty any day, as do, I believe, our end users.


10+ Year Member

Msg#: 3861210 posted 11:24 pm on Mar 2, 2009 (gmt 0)

Glad you got them to go with the straight link.

It would definitely raise some red flags for me, if someone I hired wanted to present a secure form that way. Is it possible you can get an explanation of their reasoning for having done it that way in the first place? Did they just not know any better?


WebmasterWorld Senior Member rocknbil us a WebmasterWorld Top Contributor of All Time 10+ Year Member

Msg#: 3861210 posted 11:54 pm on Mar 2, 2009 (gmt 0)

What is processing the form? Scripts on your servers I hope?

My only thinking is that they don't know how to do server side scripting and had planned to "pass it off" to a form processing service somewhere out there on the web. A pop up window would "hide" this, for the most part. I know, a real reach, but can't imagine why else they would do this.


10+ Year Member

Msg#: 3861210 posted 11:59 pm on Mar 2, 2009 (gmt 0)

I haven't spoken with the developer to find out his logic. He isn't real big on security, as you can tell. The form and form handling is on our server. Normally, his CMS allows his clients to develop forms through it, but I said no way. Any handling of secure information was going to come through our own servers. Thank GOD I insisted! Thank you so much for your responses. I wondered if I was just being uber paranoid.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / HTML
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved