I want the user to be able to submit and render untrusted HTML within an application on say domain example1.com. In order to prevent malicious XSS from capturing the user's cookies the idea was to open the HTML in an iframe that uses a different domain, let's say example2.com. But in order to see this HTML the user has to be logged in on example1.com. How do I only render the HTML in the iframe on example2.com only if the user is logged in and authenticated on example1.com?
I was thinking maybe using a secret passed via postMessage that posts a form to render the HTML without ever setting a cookie. Anytime I wanted to update the iframe's content via JavaScript I simply recreate the iframe and then pass in the secret again and post the form again to render the untrusted HTML. Malicious JavaScript would not have access to the secret as that existed only on the previous page that posted the form. Would that be a good solution or is there something better?
Everytime that a user logged in example1.com you create a token for it.
To call your iframe content use something like example2.com/view.php?page=1&token=dsjahdjkhjh331
So the malicious script only could get the token, not the cookie. And if you create a "fingerprint" to the token, like concat the user with request address(IP) + browser agent, stealing the token is the same like stealing a random string.
Related
I'm trying to create an HTML page, and a part of it is to check if a user has an active Azure AD logged in session. If so then certain elements of the page would change.
The IdP and SP are setup correctly, and SSO works, this is a separate page from both of them.
This page is here before the user is redirected to the service provider. I just can't figure out how to do this! Is there any way to do it without redirecting the user off the page, maybe using JS?
After passing the aad authentication, you will get the access token.
You want to determine whether the azure session is valid before sso authentication. Then in your html page, if you include access token information, you can judge whether the tokens are valid and expired.
If the html page does not contain token information, it is recommended to use ropc flow to obtain the access token again. If you have to judge whether it has expired, it is recommended to store the information when logging in and verify it next time you log in.
I'm currently struggling with authentication on an application. The thing is that I need to get some authentication id from another application that is not in my domain. This could be easily solved if I was able to make a post request to that application and get in return that authentication id (glbid in my case).
I am able to perform that post request, but that would only work for authentication using the other app form. Since they also provide facebook / gmail login, what I'm trying to do is to read the glbid generated on that page after the login is executed.
I also know that the glbid that I need is located in localStorage on that page.
What I'm currently doing is loading an Iframe on my page with the link of that application login page. After the login via Iframe, I was hoping that I'd be able to access localStorage.
After some research, I've found out postMessage. It would work fine for some Iframe that I could have minimal control, but since the link that I'm embedding to Iframe is not in any case under my domain, I'm stuck!
Here's how I access the glbid via chrome console on the application domain login page:
JSON.parse(window.localStorage['ca.vc.data.glbid']).value;
As a result, I get the glbid. But I want to do that via Iframe. How can I do that? Can someome please support me, or if that is not possible via Iframe, show me another way to reach the same result?
My app is widget that is embedded into other website but the one of the most important features is login with facebook.
But now I have a problem.
I have iframe tag but also inside iframe I have:
<a href="http://roomtobid.com/social/login/redirect/facebook" class="btn btn-info btn-lg col-md-12" >Facebook</a>
and now when I try to click and login, just nothing happened.
Also when I look at browser console I get error:
Refused to display
'https://www.facebook.com/login.php?skip_api_login=1&api_key=17499948800008…m5xN3sZ3hrPQWQ44FYQPR1yPpsDwLuvoTP9jtZq6%23_%3D_&display=page&locale=sr_RS'
in a frame because it set 'X-Frame-Options' to 'DENY'.
How I can solve my problem?
Also I try to add target="_top" at <a> tag and that work but then send me to first to facebook and then as callback to original domain not back to iFrame.
Is there any way to solve this?
I see that zopim chat allow their visitors to login with facebook, but their facebook login is opened into new small window.
but then send me to first to facebook and then as callback to original domain not back to iFrame
Of course not.
It only redirects back to the address specified as redirect_uri - and that address has to match the app domain, resp. be specified as a valid OAuth redirect URI in the app settings.
The only thing you can possibly do, is put the URL of the page that the iframe is on, into your apps callback URL as a parameter - so that your app can redirect back there, after Facebook login has redirected back to your app.
You could also try and put it into the session - but that might be problematic if the user has multiple pages opened that embed your widget, plus session cookies and 3rd-party cookie blocking easily cause additional trouble.
And that still leaves your with the problem of getting the "parent" page's URL in the first place. The parent page would have to explicitly transport that information to your widget in the first place, like via a GET parameter that they append to your widget's address in the iframe src. (Either the URL directly, or maybe some sort of client identifier, that you then look up in your database.)
I have a blog that requires users to login to view the content. But my page checks for a cookie, if cookie exists then it shows the content (to avoid users having to login repeatedly).
I want to send out an email to my subscribers with links to new posts. Is it possible for me to create a cookie when they open the email or click the link and then recognize that cookie on my website to prevent the requirement of them needing to login?
No.
Most email clients capable of rendering HTML will not, by default, load any remote content or run scripts. And using a JavaScript cookie for authentication is inherently insecure anyway.
Give the a link to click on in the email with a one-time-password and set a http-only, secure cookie from the page the URL links to.
I'm trying to remove the user's authentication cookie by using $cookieStore.remove('.ASPXAUTH'), but if I refresh the page afterwards, the cookie still exists and the page is still available instead of the user being redirected to the login page as I would expect.
Why is the user still able to view the page after I delete the authentication cookie and refresh the page?
I'm afraid that there isn't much you can do to a http-only cookie with javascript. The backend has to remove it if it's http-only. you can trigger a logout by using ajax.
$http.get("/logout");
The other option is to use non http cookie so you can modify it with javascript. But that would make it vulnerable and unsafe for risk of an XSS flaw grabbing your cookie and allowing your session to be hijacked.
PS: try HEAD request method if you don't want to load the page that follows (might work like an "do-and-forget-about-it")
$http.head("/logout");