[buddydvd]

I agree. I recall when Facebook Connect was first introduced, it provided websites the ability to let non-logged-in users to login to Facebook via an inline iframe. (the experience is pretty much same as Stripe's button's approach). Facebook disabled it shortly after for the reason that I think it's pretty obvious: one can easily create an iframe login form that pretends to be from Facebook and use it to phish login credentials. Instead of using iframe, Facebook now popups a window to prompt user for login credential and app authorization. I believe it will only be a matter of time before Stripe abandon this inlined approach and switch to a popup-based solution; otherwise, they will likely jeopardize their brand/trust when malicious people start to spoof their payment flow.

[kzahel]

Also strongly agree. And am still confused about why I had to scroll down to the bottom of the comments to find people who point out what seems (to me) obvious: there is no way in hell I'm entering my credit card into an inline frame.

[gawker]

Does Facebook have any plans do away with the iframe while fixing the issue? I'm trying to figure away out but it just seems like there's no way at the moment.

[buddydvd]

I'm not sure what you mean -- Facebook disabled the iframe approach long ago.

[gawker]

Ah sorry. My bad! I meant if Facebook has any plans to avoid using the popup window?