CODEWITHSUNDEEP
javascriptjqueryhtmliframe
orak
orak

Reputation: 2419

Interacting with iFrames

I have a scenario where a user visits my site. I'm going to use an iFrame to show another site on another domain (not in my control) in that iFrame. Now this site will show a login page. customer will login into this page. If the login is successful, i want to disable/blur the iFrame and show some fields on my page. Upon entry of the data on my site i'll be enabling the iframe and letting the user to carry on.

My question is: How can i capture the login successful event in the iFrame?

Side question: Is there a better way of doing this than using the iFrame?

Upvotes: 0

Views: 433

Answers (2)

Pantelis Natsiavas
Pantelis Natsiavas

Reputation: 5369

You want to know when the user has logged in on another site and imitate logging in behavior. What you describe is against the same-origin policy and an actual security break...

This could be done properly, without rising security concerns, if the external site would shared login related information (for example through OAuth). Then you could just popup the external site's login page. Your user would enter his/her credentials and you would get proper access to its login action status.

Supposing that the external application is facebook, you could find extra information and examples on this page. An OAuth tutorial for beginners could also be useful.

Hope I helped!

Upvotes: 1

Zword
Zword

Reputation: 6793

I am not 100% sure if the below is what you require but you can try out the following:

-Below is a quick example of XFO detection, without any Login Detection checks, on a few websites.

<* script src=”http://ajax.googleapis.com/ajax/libs/dojo/1.7.2/dojo/dojo.js”><* /script>
<* script>
var urls = [
'http://www.wikipedia.org/',

'http://ha.ckers.org/',

'http://www.google.com/',

'http://www.facebook.com/',

'https://github.com/',

'http://daringfireball.net/',

];

function detect() {
dojo.forEach(urls, function(url) {
var iframe = dojo.create(“iframe”, { src: url, id: url });
dojo.attr(iframe, “style”, {display: ‘none’});
dojo.connect(iframe, “onload”, function() {
dojo.destroy(iframe);
});

dojo.place(iframe, dojo.body());
setTimeout(function () {
var obj = dojo.byId(url);
if (obj) {
dojo.destroy(iframe);
var entry = dojo.create(“li”, null, dojo.body());
entry.innerHTML = “Yes: ” + url;
} else {
var entry = dojo.create(“li”, null, dojo.body());
entry.innerHTML = “No: ” + url;
}
}, 3000);
});
}
<* /script>

For more methods and explanation of the above visit - http://blog.whitehatsec.com/i-know-what-websites-you-are-logged-in-to-login-detection-via-csrf/

Upvotes: 0

Related Questions