Does this sound totally unsafe to you or am I just crazy? - HTML forum at WebmasterWorld - WebmasterWorld

Forum Moderators: open

Message Too Old, No Replies

Does this sound totally unsafe to you or am I just crazy?

Javascript opening an iframe to pull in content from another server

AWildman

8:10 pm on Mar 2, 2009 (gmt 0)

10+ Year Member

Does that sound crazy or am I just uninformed? We have contracted out with a vendor to do a site. I insisted that all forms be done in house on our own servers. So, I create some forms that have the same template as the site being hosted elsewhere. The site, while hosted elsewhere does have a sub-domain of ours as an address. We're www.example.com and the site they host is denoted in our DNS as location.example.com. I was asked by one of the developers of the new site to remove the template from the forms I had done because they were going to use a pop-up to display the form. I look at what they're talking about and here they have a link that calls a javascript function to create a pop-up iframe that then displays the form! First, there are absolutely NO visual cues that the form itself is secure as it appears in an iframe. No lock, no https: in the address bar. Second, is it just me or does javascript + iframe + different server = security disaster? This is the issue I'm more concerned about right now. Thoughts? Am I a) crazy, b) uninformed, or c) was I informed correctly at some point but this is no longer a problem?
Thanks!

sonjay

9:58 pm on Mar 2, 2009 (gmt 0)

10+ Year Member

The whole setup does sound pretty weird. Is there any reason they can't or won't just link to the form on your server using https? As in, "<a href="https://www.example.com/ourform.html">Contact Us</a>"?

I'm assuming you have a good reason for insisting that the forms live on your server, and that you have SSL/secure cert set up properly, and that you have in place a post-processing script to do whatever it is you're going to do with the forms.

AWildman

10:38 pm on Mar 2, 2009 (gmt 0)

10+ Year Member

I asked them to use a straight link to the form, which, they finally did. I have concerns about the vendor that was chosen to produce the site. Our forms are on a secured server, with an SSL certificate on the appropriate site and solid form validation. That the vendor would allow for such a thing without warning the client is unfathomable to me. Did he not think that form security, or at least, recognition by the end user of said security, would be an issue? They wanted the nifty pop-up because, well, it looks nifty. I prefer safety over nifty any day, as do, I believe, our end users.

sonjay

11:24 pm on Mar 2, 2009 (gmt 0)

10+ Year Member

Glad you got them to go with the straight link.

It would definitely raise some red flags for me, if someone I hired wanted to present a secure form that way. Is it possible you can get an explanation of their reasoning for having done it that way in the first place? Did they just not know any better?

rocknbil

11:54 pm on Mar 2, 2009 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

What is processing the form? Scripts on your servers I hope?

My only thinking is that they don't know how to do server side scripting and had planned to "pass it off" to a form processing service somewhere out there on the web. A pop up window would "hide" this, for the most part. I know, a real reach, but can't imagine why else they would do this.

AWildman

11:59 pm on Mar 2, 2009 (gmt 0)

10+ Year Member

I haven't spoken with the developer to find out his logic. He isn't real big on security, as you can tell. The form and form handling is on our server. Normally, his CMS allows his clients to develop forms through it, but I said no way. Any handling of secure information was going to come through our own servers. Thank GOD I insisted! Thank you so much for your responses. I wondered if I was just being uber paranoid.