Hey. I decided to get a paid plan on Github and Paypal looked like a good payment option to me. Click the blue button here:
There's no way to detect if the iframe is located on paypal.com or WeWantYourPassword.com. The best you can do (if you're into webdev) is to fire up your developer console
when the user opens devtools all your efforts are futile.
This seamlessly looking UI is a major step back - we've been teaching users to trust in the address bar and nothing else, for 20 years! After a couple of successful payments with such fancy gateways they will stop caring about basic security measures.
I created a ticket here about spoofing attempt. Because I really don't want to type my Paypal password while I'm on Github.com. How do I know Github wasn't hacked or something?
Some good news though: the Coinbase gateway had the exact issue a year ago but now they open sign-in page in a new window. Kudos!