'Is reCaptcha compatible with iFrames?
I'm evaluating moving 3rd party JavaScripts into sandboxed iFrames in order not allow them access to main page data. So if 3rd party script is compromised, only data in the iFrame could be stolen.
One of the flows we want to move are the auth form. Right now, we have a javascript with Google reCaptcha that triggers the logging flow against our servers. I thought on moving the whole form and reCaptcha js into a sandboxed iFrame. This way I can isolate reCaptcha javascript from the rest of the page. Login should be done inside the iFrame and in some way, this iFrame will send the cookies or the session to the main page.
Do you think it is a valid scenario? My major concern is if reCaptcha script will work into a sandboxed iFrame.
Let me include 2 scenarios designs. Scenario 1:
- reCaptcha is isolated into an iFrame. Once reCaptcha is resolved it passes the the recaptcha key to the parent frame and it is set on the form. One way to do this is by postMessage API.
- This way, reCaptcha code has not access even to the auth form.
Scenario 2(if scenario 1 is not valid):
- The whole auth form is isolated into an iFrame. In this case reCaptcha code has access to the login form, but not the whole pages.
For both scenarios, after submiting the form with the reCaptcha key, should provide a way to pass the cookies or the needed keys to the main page without reloading itself. This could be achieved by postMessage too.
Regards,
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|