Search code examples
asp.netembedcross-domain

What are the pitfalls of embedding a form within an iframe on an external domain


Scenario:

We provide a hosted site that clients pay to use internally (a tool to support their business workflow). We have a requirement to provide a form that the clients can 'embed' in their outward facing site. This form will permit a member of the public to enter some details to register an interest - this data will be pushed to our remote system.

Question:

I'm currently planning on creating a simple HTML page that the client's web guys can include in on their site with a minimum of technical knowledge required (either using an iframe or an object tag). If I do this, am I going to run into difficulties when the user tries to submit the embedded form (as it will be going to different domain to the one they are currently browsing)?

I had a look at google adsense and I see that they just provide a link to a JS file that renders their ads - I'm not sure I see the advantage in this, but if anybody has any bright ideas...

Whatever technique that gets used, I'll have to authenticate the request as coming from my client's site(s).


Solution

  • If I do this, am I going to run into difficulties when the user tries to submit the embedded form (as it will be going to different domain to the one they are currently browsing)?

    No issues, you'll need to hardcode a post url into your form.

    Whatever technique that gets used, I'll have to authenticate the request as coming from my client's site(s).

    That may be difficult. The request will be coming from the user's browser.

    You could make it a requirement for a client to define some JavaScript variable in the containing page, like:

    var client_id = '2315213452';
    

    and attach a script to pick up this value and submit to your server along with the form.

    The trouble is, any hacker could see this value in plain text and take it thus compromising your security.