Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cavern of COBOL > The Web Design & Development Megathread
 
  • Post
  • Reply
hey mom its 420
May 12, 2007

 Does anyone have any experience with iframes and CSP? I'm having this issue at work and it's just driving me crazy.

Our site has a pretty strict CSP, and it includes a list of frame-src entries for which domains can be embedded as iframes. We're switching over from stripe to an alternative payment provider.

When you pay with a credit card, your bank's 3DS page gets shown by the payment provider (stripe, for example) in an iframe. Normally, your CSP would prevent these iframes, but stripe avoids this by first creating their own iframe (with no CSP), which our CSP allows, and then that iframe displays the 3DS iframes for various banks.

The new payment provider (adyen) just tries to directly show the 3DS iframes within our page. Of course, our CSP blocks this. They've told us to either relax our CSP (no go) our keep our own list of bank domains and include them in our CSP (unrealistic). So our idea was to emulate stripe and create a subdomain of our own with no CSP that then displays the iframes for banks.

Seems like it should work, and from what I've read, iframes shouldn't inherit the CSP of their parent frames. But when our iframe tries to load up the bank's iframe, those get blocked saying they violate the CSP, and then there's a list of the CSP entries of the parent frame. We've even tried setting frame-src to * in the child frame, but to no avail. Also tried using a different tld, same thing.

So should iframes inherit the CSP of their parent frames or not? Lots of docs online (although they're pretty scarce about the topic) say they shouldn't, but to me it seems like they do. Is there a way around this?

If you've come this far reading thank you. I don't really expect people here to waste a lot of time on this issue without being paid, I'm just wondering if maybe someone has had a similar experience and can point me in the right direction.

* # ¿ Dec 7, 2023 14:40
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ May 17, 2024 01:58
  • Quote
hey mom its 420
May 12, 2007

 They're working on React Forget I think, which would make it so you don't have to use carefully use useMemo and useCallback for render optimization, which would be great

* # ¿ Dec 8, 2023 14:53
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cavern of COBOL > The Web Design & Development Megathread