Secure iframe on unsecure page in a different domain
https://stackoverflow.com/questions/229624
-
04-07-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Our company is looking into allowing third party sites to use our online checkout system.
A client has stated that they would like to be able to use a lightbox style popup to display the checkout. And they would like this to be available on every page of the site, therefore mostly unsecure pages. Our checkout system and the client site are obviously on different domains.
I'm guessing that I could use a secure iframe (using https) to display our checkout system.
Would this iframe actually be secure?
Is the a sensible thing to do? (my gut says no, as how can the user tell the page is secure)
Are there any better ways to achieve this same functionality?
Solution
Have you seen how other similar checkout systems work? For example the paypal checkout on ebay? They take you trough the checkout process "full screen" and back to the original site when the transaction is complete.
OTHER TIPS
Yes, the iframe would be secure, but you're correct that the customer wouldn't actually be able to tell that it's secure. On the other hand, most users can't tell if a page is secure anyway - a few images of padlocks scattered around will convince most of them.
Could you, when they click to pop out the checkout, send them to the same url under HTTPS then pop it out (you'd need your own SSL certificate of course)?
I know this is an old question but I was planning to do the same thing. The work-around is either to do the paypal thing -> go to a secure site for payment -> return to return-url. Or you could set up your own website with a very generic, short name like shop.com (obviously taken) but one that is not taken.
Your clients could then have their own space like https/www.theirsitename.shop.com,
so they would move from http/www.theirsitename.com to the above.
Most users won't even be able to tell they've moved to a new website, and the page will be secure. To get their products, you could make them POST it from their end, and perhaps also get them to POST a CSS file which would completely alter the layout so it looks like their own website.
