You are viewing a single comment's thread from:
RE: Introducing SC2 Pay - A SteemConnect Add-On for Seamless STEEM/SBD Payments
The problem with an iframe is that the user cannot verify if he really stay on https://steemconnect.com and make easier to do phishing. Even if i'm sure you are not malicious, it's not something we want users that get use to do, for this reason i recommend users to never typing their keys if they can not verify the address of the page. We show this message before typing any keys:
If you use a new tab or a popup the user would see the address.
@fabien yes this was also pointed out by @jga below and I agree it is an issue...Do you have any thoughts of a different way to handle this? I would really, really like to be able to provide a way to make Steem/SBD payments without having the user leave the website to a new window or tab but in a way that is still secure and be verified.
I'd be super leery about using an iframe in general. I know there's some mucking around with CORS/Same Origin Policy to go through, but once that's done it's very easy for the parent page to do whatever it wants to the data found inside. The golden boy for submitting crypto payments right now is probably Metamask, which is either built into the browser or run as an extension for complete isolation.
I would go for a simple popup window, similar than what is used for service like Facebook login with apps see:
@fabien How would you get around the built-in popup blockers in most browsers with that method? Or would you just leave it up to the user to have to allow them?
If the user is truly into your application, I don't think enabling a popup window is a huge problem.
Perhaps you can give the user different options... like open in "iframe" or "popup"...
@Fabian, I promoted my post suing the promote button ,but I can't find my post in the promotion section, and 1sbd was deducted , kindly assist