RabbitDoge
commented
3 years ago It's rather a good thing, iframing make users vulnerable to clickjacking
Closed moontools-hyperion closed 3 years ago
RabbitDoge
commented
3 years ago It's rather a good thing, iframing make users vulnerable to clickjacking
moontools-hyperion
commented
3 years ago It's rather a good thing, iframing make users vulnerable to clickjacking
If a user is interacting with Pancakeswap/Uniswap on a domain other than the official domain, then they should be aware and trust the parent domain that they are on anyway.
If clickjacking is a concern, this is already mitigated by Metamask since users have to approve and submit transactions via Metamask which is not susceptible to clickjacking. Besides, a malicious browser plugin could easily clickjack a user who is on the official Pancakeswap domain anyway, the same way a malicious parent domain embedding Pancakeswap could try to deceive users.
Dex explorers like MoonTools, Dextools and Astrotools have all integrated Uniswap in their apps via iframes. Considering this as non-issue would stifle the growth of the Pancakeswap ecosystem.
Just my 0.02 BNB. Anyway, we would really like to integrate Pancakeswap with MoonTools. I can take a stab at this issue if the team decides that they want to fix it.
Chef-Chungus
commented
3 years ago Currently have no plans to allow iframe for security reasons.
Bug Description When https://exchange.pancakeswap.finance/#/swap is embedded within an iframe on a parent page, the embedded Pancakeswap page fails to load.
In the console, there are some warnings and errors thrown, and I think the issue is because pancakeswap uses a package called redux-localstorage-simple to sync redux state and localstorage. However, pages within an iframe cannot interact with localstorage if they are not on the same domain.
Minimal reproducible example: https://jsfiddle.net/fv93q4sg/
Steps to Reproduce
Expected Behavior The Pancakeswap exchange site should work when embedded in an iframe. Uniswap's exchange works this way, and we are able to embed it on https://app.moontools.io/pairs/0x02f14c27037bd30f18a6578590fd40fafd3376ff for example, under the "Swap" tab.