Accessing form data inside iframe

Question

Is it possible to access form data with javascript inside iframe from external source?

For example: I have a web store on example.com. If I use payment gateway stripe.com with iframe integration https://stripe.com/checkout is it possible to access input data user inserts in iframe popup on interval 1s?

I would like to be sure that i case one hacks into my website, one cannot access payment details of customers.

Answer 1

Is it possible to access form data with javascript inside iframe from external source?

No. This is prevented by the Same Origin Policy.

If I use payment gateway stripe.com with iframe integration https://stripe.com/checkout is it possible to access input data user inserts

Not in a straightforward JS way, but there have been a number of clickjacking attacks against content in iframes. See for example http://www.contextis.com/documents/5/Context-Clickjacking_white_paper.pdf

However in this case the point is moot, as:

I would like to be sure that i case one hacks into my website, one cannot access payment details of customers.

This is not achievable. If your site is compromised (either at the server or at the client via XSS), the attacker can change the parent page to make it pop up a fake checkout iframe instead of using the real Stripe script, one that leaks entered payment details.

This is a risk with all iframe-based checkouts: the user can't verify the origin and HTTPS details of an iframe, so they have to trust those of the parent page (merchant).