Forcing a user to authenticate using a pop-up - javascript

I have a page I want only authenticated users can come to. Also I want to authenticate them using a pop-up when they come to that page, say, twitter bootsrap or foundation. How can I do that if a user can just close it? It's unreliable, isn't it?

There is a risk that the user changes the css properties of your live page, to make it invisible pop-up. A simple tool like Firebug makes this possible. Authentications pages are safer in a page intended for this purpose.

Related

Is there a way to change between browser tabs programatically?

I'm trying to implement the following feature:
You are on website A
You open a link with target=_blank that goes to website B, in a new tab of course
On website B, there is a link that will make refocus on tab for website A.
Please note that I'm developing both websites and both are in Angular. Is there a way to implement this?
The purpose is not to lose the website state, otherwise I could just redirect the user by the website urls, however I'd lose state.
Thanks in advance!
There is no way to perform such action in JS, it would be a nightmare for everyone.
But... link on website B can just be a window.close()... Previous one will be re-focused.
Is it good for you?
You can't change the browser tab that the user is looking at, due to security concerns. Instead, consider redirecting the user and persisting the data in some appropriate way (e.g. a service)

Why some web-page can open popup directly while others need the user to confirm before opening? (Google Chrome)

Say I want one of my web pages to be able to open a popup window without prompting users.
I know it's reasonable to ask the user to agree. But I noticed that some website can just open a popup without asking the user's permission. I don't have some exact example for now but I think most of the <button>/<a> to trigger a Facebook or Twitter share is like this.
How can some website has to ask while some other website hasn't?
A window.open(url) would generally open a new window/ tab ( depending on what params you pass to it). I'm really not sure when a website asks for a confirmation before opening a popup. A particular example would really help.

AJAX - Modal Popup Not In Generated Source - How'd They Do That?

On the Bloomberg.com site, in the top right of the homepage there is a 'Sign In' link (next to their search textbox). Upon clicking the link a simple-looking modal popup appears into which one can enter one's sign-in credentials. Clean, elegant. With the popup still visible I did a generated source check and there's no evidence of the modal popup html anywhere in it. I'm wondering why the modal popup source is missing and, assuming it's coming from somewhere else, where it's coming from. Can someone please explain it?
More generally I assume that Bloomberg's login dialog is ultimately transmitting its user data on an encrypted basis. The home page itself is rendering as a standard http. Is there some hidden - and secure, presumably https - means by which this site, and others I'm sure, is accomplishing its modal information gathering and posting, securely and distinct from the base homepage? Any clarifications on how this is happening and the best practices for coding it would be appreciated. Thanks!
-- Rick
The popup is actually just presenting an iframe of this URL:
https://login.bloomberg.com/api/login?skin=&rt=http%3A%2F%2Fwww.bloomberg.com%2F&cc=0.13446950796060264
(And the iframe itself is presented over HTTPS, which covers the security issue you mentioned)

Fancybox - implementing backward and forward for iFrames

I'm using Fancybox to display webpages through an iFrame. Those webpages are like a little information network: they're calling each other via links, and the user can circle through them.
I wanted to implement back et forth buttons: I did it by putting those buttons directly inside the displayed page, and working with the history (history.go(-1)) : that works, as long as the browser behaves in the way they do with iFrames.
However, there's a problem: if the user clicks on the back button and is on the first page of his navigation, it will bring him back out of the website itself (as, out of the fancy box, it's a one-page website).
As for security purpose you cannot have access to the history and test it to avoid that, is there a way to find out if the user will get out of the domain if he does a step more? Document.referent doesn't seem to work in the context of Fancybox and iFrames…
Thanks A LOT, I tried many (mainly stupid things), including a javascript session with window.name (see how desperate I am ?) !

Is an overlay more susceptible to phishing?

Working on a web development project, functionality requires a user to navigate through the website then login and perform a very sensitive function. The login and subsequent functionality is hosted on a different site (sorry I can'be be more specific due to sensitivity)
Choices considered for the UI are:
A javascript overlay
A popup
Load in the full page
The current development and prototype user testing has been on an overlay with no problems. There is concern that an overlay does not show the address bar and the SSL certificate therefore is more susceptible to phishing.
A popup or a full page would be better in this respect but I have read studies that show users do not pay attention to passive indicators:
http://www.usablesecurity.org/emperor/
Popups also have the problem with popup blockers, the overlay looks the best and provides the least disruptive user experience, i.e. user feels they have not left the original site
So what is the best option considering security, usability and design?
Related question: is there any problems with loading an iframe within an overlay? e.g. scrollbars etc?
Edit: The question is more how to present the secure login page on an overlay, a popup or redirect to load the login in the full page. I'll edit the question to make this clear
Edit: Any links to research or studies showing increased phishing if an overlay is used would be very useful for making the case
Just redirect the user to login on the secure login page and customize its look. Make sure the secure login pages url are the same every time. You might wanna have a look at how Stack Overflow (a big website for programmers) handle logins with OpenIDs.

Categories