NetCommunity Pages No Longer Allowed in an iFrame 298

NetCommunity Pages No Longer Allowed in an iFrame

Published

As part of our normal product improvement processes, we review our security measures, protocols, and infrastructure on an ongoing basis. 

Blackbaud NetCommunity was automatically updated in this release to include security improvements which address vulnerabilities that could potentially compromise the integrity of our product.

As part of these security improvements we removed the ability for you to use an iFrame on a third party website to display a Blackbaud NetCommunity Donation, Event Registration, Membership, or Online Admission/Reenrollment forms. If NetCommunity page is called in an iFrame on a 3rd party site, it will not display.

NetCommunity's iFrame Page Part will still work and NetCommunity will still display 3rd party content inside an iFrame on NetCommunity if the 3rd party site allows it.


The removal of iFrames prevents a hacker from attempting to add malicious code into the various forms and capturing personal or payment information from your users.

Blackbaud has historically not recommended the use of iFrames due to these security issues. Our decision is to remove the use of iFrames in order to ensure the integrity of our customers’ websites. 
 
If your organization is currently using iFrames, Blackbaud recommends you take immediate action to remove them. Blackbaud recommends two options to replace your use of iFrames. 
  • Option One – Add Blackbaud NetCommunity design templates to all of your forms to match your existing website so that users seamlessly transition to the NetCommunity page.
  • Option Two - For a more robust solution, we recommend Blackbaud Online Express which was built specifically to allow you to embed mobile-ready forms directly on third party website pages. With Online Express, you access a friendly user interface directly from within Raiser’s Edge to build forms. Then, you simply embed a small code snippet on your website wherever you need the form to appear. Regardless of whether the page on the third party site uses a SSL certificate - although we recommend it does – the form sends data over a secure, encrypted connection. When you are ready to process the transactions in Raiser’s Edge, you process them in the same familiar way you process transactions in Blackbaud NetCommunity.
     
If you require more time to remove iFrames, contact Blackbaud Support mentioning Knowledgebase Article 74384 to allow temporary continued use of iFrames until you update your third party website and Blackbaud NetCommunity forms. 

Blackbaud apologizes for any inconvenience that this may cause. We are committed to ensuring our products meet the highest level of quality, reliability, & security. If you have any questions or concerns please feel free to reach out to Blackbaud Support or your account executive.

 

Leave a Comment

1 Comments
I realize that this announcement is almost a year old, but we were just upgraded to 7.0 from 6.5 (or around that). This decision to prevent BBNC from loading in an iframe and using security as an excuse is weak. Web browsers already have built-in security for preventing cross-frame scripting hacks. My opinion is that you are trying to hook people into using BBNC instead of another platform that works better. We actually use BBNC, but the blogging features stink, so we use Wordpress for that and I'd like to just show our logo and main site navigation inside an iframe (so I don't have to update multiple sites), but I can't even do that! Lame. Does anyone have a workaround?

Share: