Reputation: 531
Does 3D secure and net banking sites use x-frame-options header?
I am trying to embed 3D secure and net banking pages in an IFrame, and I am able to achieve it successfully for a few sites which I have tested. But I suspect if ALL the bank pages will open in IFrame.
What if any bank has set x-frame-otpions to SAMEORIGIN or DENY?
Tried searching for a tech spec regarding this, but couldn't find anything.
Is there a common thumb rule or convention (in any spec) that an authenticating bank should/shouldn't use this header? How do I believe if this will work for all the banks?
Any clarifications would be of great help.
P.S.: I know there are other ways of opening the authorization gateways. But still, I need clarity on this approach.
Upvotes: 10
Views: 1659
Answers (1)
Reputation: 456
You typically wouldn't just open an iframe with the bank domain. Instead you open an iframe from an outside payments' provider domain(adyen, braintree etc.) and they, in turn, open another iframe inside so that they only have to allow payments' providers iframe to communicate with it.
What's interesting that those iframes still usually have same-origin policies.
Upvotes: 0
Related Questions
- How can I set 'X-Frame-Options' on an iframe?
- How to set X-Frame-Options Header in wordpress Site
- Security difference between X-Frame-Options and Content-Security-Policy headers?
- Ignore X-frame-header using javascript
- How does Content-Security-Policy work with X-Frame-Options?
- Can I apply X-Frame-Options header and people still use <iframe> with my website
- What's the point of the X-Frame-Options header?
- Why does only IE check the X-Frame-Options Header when iFrame src sends a file?
- X-Frame-Options and Content-Security-Policy for frames in Firefox
- Bank login dialog in an iframe when you shop online, how does it work?