Iframe Protection - iframe

We have a membership site which we wish to make accessible to the userts of another password protected website. I wonder if there is any protection script which wudl allow for our content (delivered via an iframe) to be accessible ONLY from specific domain?


Could an ISP access a site viewed through an iframe on a HTTPS site?

Let's say you have a website at https://foo.com and on this site you have an iframe that is pointing at another site https://bar.com
So obviously an ISP could see that you accessed foo.com, would they know you accessed bar.com?
Yes - it is still your browser which makes the dns lookup/request to the second site.

how does firefox check if a domain is a third-party domain?

The firefox has an option to disable third-party cookies. So, how does the firefox check if a domain is a third-party domain?
For example, is bbc.co.uk and bbci.co.uk the same domain, or for example, google.com, google.fr and google-analytics.com?
I am working on Web privacy, and I need to know what exactly is considered by a third-domain (in particular in firefox)?
How does the firefox browser gets the domain of the page we are visiting? For example, what is the domain of support.mozilla.org? According to their feature to gray out everything except the domain name, it seems that it is mozilla.org. Is it something it is returned by html document? Or the firefox gets it according to the visiting url?
From the MDN documentation:
Cookies have a domain associated to them. If this domain is the same as the domain of the page you are on, the cookies is said to be a first-party cookie. If the domain is different, it is said to be a third-party cookie.
None of your examples are the same domain as any of the others.

Security of embedding iframe payment form

I need to create payment forms for a few websites (which aren't mine), but I am building the payment form itself that is called via an iframe. Essentially I'm a 3rd party who will be generating payment forms for other sites to use.
Assuming the page hosting the iframe is SSL and the content of the iframe is retrieved using SSL, are there any security concerns I should be aware of?
The only related post I found only gave the answer "the user can't verify SSL was used." It didn't explicitly state whether or not stuff like clickjacking or any other sort of malicious attacks could come into play.
What about if the the website hosting the iframe is http and not https? Is the biggest concern someone changing the iframe location?
Thank you

Same Origin Policy Restriction on sub domain

Is it possible to apply Same Origin Policy Restriction on the contents serving from sub domain Iframe to main domain?
IF possible then please provide any example.
Thanks in advance!
Actually i am using iframe to serve downloads on a site. Iframe method is working fine for contents from other site but when using it with subdomain then its opening the content directly. This is my problem
Well, what about not using the "main" domain? This is one of the cases where it's quite handy to have a http://www.something.com/ address rather than http://something.com/. Now eg. http://data.something.com/ isn't a sub-domain of http://www.something.com/ and so you can do things like limiting the sending of cookies, and same origin policies.

Using VisualForce pages/controllers

How can visualforce pages and their respective controllers be hosted on SFDC but have my own domain name and URL extension being used when directing users to them?
I am building pages in VisualForce with Apex controller extensions in the background and would like to know how to direct my users to them whilst still prepended the filename with my own URL and not na9.salesforce......
Would these pages have to be hosted on Sites.com Or can I host them as pages in my developer.force.com account? I think the first because if they were to be hosted within SFDC then a login would be required to view the pages?
I am so confused that things are not going well. I know that SFDC want everything to be integrated but i think that users should just be happy with a single solution that does not have modules thrown all over the place where you need bespoke training to use effectively.
Salesforce.com's Sites is the technology that you are going to need to use if you want to provide your own domain (URL). Essentially, with that technology you can setup a guest account for anonymous user access. So everything still runs under the context of a user it would just be this generic guest account.
This article explains the details of mapping your Domain to the Salesforce.com Site domain.