The Bubble docs gives the following info on security if you allow iframes:
It is a best practice in terms of security to prevent other websites to load your application in an iframe. We recommend keeping the DENY option, but if your app requires being loaded in iframes, you can pick ‘Allow all iframes’. Note that this can have consequences on your application’s security.
I’m wondering if anyone knows what the potential consequences on application security are?
It seems like others have asked this question in the past but there are no answers, so would love some additional detail. Thanks!
From my understanding, it makes your app susceptible to clickjacking. Basically someone can run your app in an iframe and track the keys on a log in form for example. It would take a very unaware user for this to happen but still it’s possible.
I personally allow iframes since I have a widget users can embed on their site. Not too worried about the vulnerability but I do get emails from “ethical hackers” looking to collect a bounty for it .
Got it, makes sense! Aligns with what I’ve been researching s well. So basically the security vulnerability is that a user might not realize they aren’t on your domain and they enter their email and password when an attacker is tracking their keystrokes?
Also for anyone else looking at this in the future, one potential workaround is in this thread (creating a second app only for iframes to prevent others from iframing your entire app):
