I have embedded an iFrame into my web-page. The iFrame keeps prompting the user to enter their security details via a dialog box which appears on the screen.
I do not have access to the server on which the iFrame is stored, but I do have security details and a username/password that works on this server. I would like to hardcode it so that the dialog box no longer appears - the details are automatically entered via Ruby/JS.
Is it possible to do this? If so, how?
If I'm correct in assuming this is an HTTP-Auth window (that is, the remote HTTPD itself - Apache or Nginx or IIS or whatever - is requesting authentication, not the site software) you can provide a login and password as part of the iframe src URL, e.g.
<iframe src="http://login#password:website.com"></iframe>
I wouldn't recommend this approach if the login and password are sensitive, but your choices are really either putting the login and password in a place where the end user can find them, like this, or making another arrangement with the owners of website.com to auto-authorize users of your site.
Related
My app is widget that is embedded into other website but the one of the most important features is login with facebook.
But now I have a problem.
I have iframe tag but also inside iframe I have:
<a href="http://roomtobid.com/social/login/redirect/facebook" class="btn btn-info btn-lg col-md-12" >Facebook</a>
and now when I try to click and login, just nothing happened.
Also when I look at browser console I get error:
Refused to display
'https://www.facebook.com/login.php?skip_api_login=1&api_key=17499948800008…m5xN3sZ3hrPQWQ44FYQPR1yPpsDwLuvoTP9jtZq6%23_%3D_&display=page&locale=sr_RS'
in a frame because it set 'X-Frame-Options' to 'DENY'.
How I can solve my problem?
Also I try to add target="_top" at <a> tag and that work but then send me to first to facebook and then as callback to original domain not back to iFrame.
Is there any way to solve this?
I see that zopim chat allow their visitors to login with facebook, but their facebook login is opened into new small window.
but then send me to first to facebook and then as callback to original domain not back to iFrame
Of course not.
It only redirects back to the address specified as redirect_uri - and that address has to match the app domain, resp. be specified as a valid OAuth redirect URI in the app settings.
The only thing you can possibly do, is put the URL of the page that the iframe is on, into your apps callback URL as a parameter - so that your app can redirect back there, after Facebook login has redirected back to your app.
You could also try and put it into the session - but that might be problematic if the user has multiple pages opened that embed your widget, plus session cookies and 3rd-party cookie blocking easily cause additional trouble.
And that still leaves your with the problem of getting the "parent" page's URL in the first place. The parent page would have to explicitly transport that information to your widget in the first place, like via a GET parameter that they append to your widget's address in the iframe src. (Either the URL directly, or maybe some sort of client identifier, that you then look up in your database.)
External website A offers a form to be filled out only once. When a user has filled it out, the form will be hidden when he calls the website A again due to cookies.
Now I want to detect whether a user has been on website A. Basically, I think, I need to request website A "in the name of" this user and parse the response.
I tried using embedding, iframe, cross domain requesting, cross domain with proxy server. Either the browser restrictions block me or I can request the website, but with another session!
How can this be done?
Without the co-operation of the other website: it cannot. Browsers are designed to make that sort of invasion of privacy impossible.
If the other site is willing to expose that information, you could use Ajax via JSONP or CORS, or you could redirect to user to a URL on the other site which, in turn, redirects back to your site with a query string that indicates if the form has been filled out.
I have got a 3rd party website, which my customer wants to me to login into in order to download some data periodicaly.
The data is customer specific, and password protected.
I have the username/password, and I have searched for ways to do the login automatically so that I can pull data, but so far with no success.
This is a method that I have tried:
http://crunchify.com/automatic-html-login-using-post-method-autologin-a-website-on-double-click/
When I look into the login page of the website which I am trying to login to (view source), I don't see the login form, but if I click on "inspect element" in chrome on the fields of the page it does show that there is a login form hiding in there.
Any suggestions
Edit:
Here is the website which I need to autologin to: http://portal.dorad.co.il/#/Login unfortunatlly it's not in english. The first field is the username, the second field is the password and the button is the login
Edit2:
Taking pomeh's advice, I was able to find the jQuery code that is being triggerted when the text boxes are being modified. Now I want to run this script manually using element.DomContainer.Eval
(function(n,t){function vi(n){var t=n.length,r=i.type(n);return i.isWindow(n)?!1:1===n.nodeType&&t?!0:"array"===r||"function"!==r&&(0===t||"number"==typeof t&&t>0&&t-1 in n)}function ne(n){var t=li[n]={};return i.each(n.match(s)||[],function(n,i){t[i]=!0}),t}function uu(n,r,u,f){if(i.acceptData(n)){var s,h,c=i.expando,a="string"==typeof r,l=n.nodeType,o=l?i.cache:n,e=l?n[c]:n[c]&&c;if(e&&o[e]&&(f||o[e].data)||!a||u!==t)return e||(l?n[c]=e=tt.pop()||i.guid++:e=c),o[e]||(o[e]={},l||(o[e].toJSON=i.noop)),("object"==typeof r||"function"==typeof r)&&
...
(t=n(this);r=r.not(t),t.removeData(f),r.length||clearTimeout(c)},add:function(t){function s(t,u,e){var s=n(this),o=n.data(this,f);o.w=u!==i?u:s.width(),o.h=e!==i?e:s.height(),r.apply(this,arguments)}if(!u[o]&&this[e])return!1;var r;if(n.isFunction(t))return r=t,s;r=t.handler,t.handler=s}}}(jQuery,this)
I am not sure how to activate it and give it the relevant data.
If you have the right mix of technical requirements then you want Single-Site-Sign-On (SSSO).
Not all of my clients have SSL and I don't want my user name and password on all of their sites. They are however all on the same server. Since my site supports SSL I can log in to my own site securely.
What you need to do conceptually speaking is log the IP of the administrator account along with the data/time stamp. Then if you visit your client's website (again, on the same server) from that same IP you can have your scripting language check the file. I require a short time-span (anywhere between 30 seconds to two minutes tops) and the same IP address. You can add additional technical requirements to strengthen security of course though your options will be limited as the domain name will be different. If the IP matches the criteria emulate the user being authenticated (static obviously since you likely won't/shouldn't have your administrative account information on their site) and you can be automatically signed in.
Maybe you could do this using a web scraping framework like:
Goutte for PHP (https://github.com/fabpot/goutte)
Scrapy for Python (http://scrapy.org/)
node.io for Node.js (https://github.com/chriso/node.io)
request for Node.js (https://github.com/mikeal/request)
WatiN for .Net (http://watin.org/)
In any case, I think a client side solutions will bring a lot of problems to do this. Maybe you can login into it using a form tag which points to the page, but you won't be able to manipulate the page afterwards. Also, you may not be able to use AJAX due to CORS restriction. You could embed the target page as an iframe but you can't either manipulate the page because of differents domains used (you can do that under certains conditions but it's hard to achieve this imho). So a server side solutions sounds better to me.
I want the user to be able to submit and render untrusted HTML within an application on say domain example1.com. In order to prevent malicious XSS from capturing the user's cookies the idea was to open the HTML in an iframe that uses a different domain, let's say example2.com. But in order to see this HTML the user has to be logged in on example1.com. How do I only render the HTML in the iframe on example2.com only if the user is logged in and authenticated on example1.com?
I was thinking maybe using a secret passed via postMessage that posts a form to render the HTML without ever setting a cookie. Anytime I wanted to update the iframe's content via JavaScript I simply recreate the iframe and then pass in the secret again and post the form again to render the untrusted HTML. Malicious JavaScript would not have access to the secret as that existed only on the previous page that posted the form. Would that be a good solution or is there something better?
Everytime that a user logged in example1.com you create a token for it.
To call your iframe content use something like example2.com/view.php?page=1&token=dsjahdjkhjh331
So the malicious script only could get the token, not the cookie. And if you create a "fingerprint" to the token, like concat the user with request address(IP) + browser agent, stealing the token is the same like stealing a random string.
I have to make changes to classic asp website where once a button is clicked it autologins to a third party website with a intermediate page that warns that you are logging in to a third party website.
The thirdparty is providing us with a username and password and gave us an examle javascript to encode the password to send to them. Now where do I store the userid and password. I cannot execute the javascript on the serverside. It has to go to the client. If the asp page which has the encryption javascript goes to the client side then the source can be viewed and the username and password is given out.
Is there a way that I can have hidden asp page whose only job is to encrypt the password and create a new url and auto redirect it to that new url.
So when the user clicks ok on the intermediate warning page I redirect it to this hidden asp page which does the encryption and a creates a url for get method and redirects to that page.
I am a novice as far as java script and classic asp is concerned. Any ideas/ advice will be appreciated.
Thanks,
--Abbi
As SLaks said, it really doesn't matter what you do, if the client browser MUST send the user/pass to the final website, then you cannot prevent that client browser from being able to see that user/pass. It MUST see it, in order to provide it to the other website.
What you might want to consider is creating a page that is loaded server side and presented to the client browser from your website. Think iframe (but not an iframe, that's still client side); where your server requests the page from the destination server, and then presents that page back to the browser. This could get very complex depending on the kinds of interactions that happen on that page; you would basically need to proxy all GET's and POST's between your server and the destination site. But this would eliminate the need for giving the browser the username and password.