All geek questions in one place

Is it a bad idea to have an iframe login dialog?

We are creating a website where we will distribute code fragments to our users, which they can post on their sites. These snippets contain a link containing javascript. When you click on the link, an iframe opens, containing a dialog box for entering our site. Then the user authenticates inside the iframe, does his work, and when he leaves the iframe, his session is closed. Everything works for us, and it is very smooth.

Our main concern is phishing. The user has a completely new way of simplification, from which the login page really begins. Phising attacks, on the other hand, are also successful, even if the user can see the fake URL in the address bar.

Do you enter your (OpenId) credentials in an iframe? Does anyone know a pattern with which we could minimize the chance of a phishing attack?

+4
source share
2 answers

The user has a completely new way to simplify where the login page really comes from.

There are ways to get around this by telling the user that a real login page may appear on them to identify themselves. This is usually done with easily identifiable images.

However, this is not the only problem. If you allow the creation of a login page (and the user expects this to be), you will also open yourself up to click attacks. A third-party site can create your login page, and then position: absolute your own HTML elements on top of it. Elements, such as input directly to yours, sniff every keystroke to fill in the password.

You can enable a simple β€œstart the login process” button and possibly a username / identifier, but the form into which the password should be entered should open in its own browser window (either in the main window or in the pop-up window) with its own address bar and SSL indicator.

Do you enter your (OpenId) credentials in an iframe?

Kindness No.

+2
source

I would recommend not using IFrames, as they do not allow accessibility, seo, and semantics unless you want them to win. If you ask people to log in through the IFrame, then you have a certain accessibility barrier that can be considered legally discriminatory in some countries.

+1
source

Source: https://habr.com/ru/post/1307854/

More articles:


All Articles