Let’s say there is a third party site not protected under https.
The third party site integrated a javascript call that basically gets a payment form from my site and adds the payment form on the third party site.
The person fills out the payment form which has a form action of “https://example.com/… ” where example.com is my site.
Will their information be encrypted even though they are filling out the payment form on a site not https protected, but the form action is https protected.
so basically:
the site that the payment form gets shown in is called http://thirdparty.com/welcome
The payment form has the following form code:
<form name = "payment" action = "https://example.com/process">
this form is being shown on a non-https encrypted site: http://thirdparty.com/welcome
and being sent to https://example.com/process
will the information provided in that form be encrypted?
The information they submit will be encrypted when it is sent over HTTP…
… but the page containing the form is insecure, can be intercepted enroute to the client, and can have extra JavaScript added to it. Such JavaScript might copy the payment information they enter to an attacker’s server (before it gets encrypted).
So the approach is, overall, not secure.
The user should be directed to a form hosted by your site in a page on your site, and not embedded on a third party site.