I'm not sure if this counts as an Information Security or Webmasters question rather than Programmers, however I'll see how we go.
I've been prototyping a help website for a particular browser game, and I've made the layout of the help website compact and concise with the idea that the rest of the page space can be filled with an iframe that will contain the game itself so players can also play while being on my website.
This way, players of the game can play the browser game and have access to all of the tools and information on my help website at the top of the page. The help website doesn't interact with the game inside the iframe of course, and its purpose is to provide useful references and calculators relating to the game.
I've done some research into the security of iframes, and how the website hosting the iframe can't interfere with the iframe due to the Same Origin Policy. The only security flaw I can think of for players is players not being sure that the real official browser game is running in the iframe and not a fake phishing copy.
What other security concerns should I be aware of and how can these be overcome either by me, the developer, or checked by users to ensure their security on my help website when playing the game via my help website? My main concern is players not feeling safe playing the game through an iframe on my website.
Best Answer
There are many well documented vulnerabilities and attacks that use frames.
OWASP has a good list of them here with examples:
https://www.owasp.org/index.php/Cross_Frame_Scripting
Generally, users should always be wary of any frame content especially Cross-Origin frames. Frames, including iframe, have undoubtedly been one of the largest vulnerabilities in the past and new vulnerabilities are found quite often.
A browser extension would be my ideal form of a "helper" that would integrate into the existing page, Chrome has a great engine and community for this.
That said, it is ultimately up to the user whether they trust you or not no matter how you handle it.