Stop Javascript Redirect in Pop-Up Window - javascript

I'm using the Telerik RadWindow control in one of my applications. When a user wants to authorize Twitter for the application the window displays the OAuth dialog for Twitter.
However, each time I display the pop-up for Twitter OAuth, or even just the plain Twitter page, the entire browser is redirected.
The control works just fine when the URL is pointed at a site other than Twitter. I'd like to see if I can block that redirect, or if perhaps there's an easier way to accomplish the OAuth confirmation. Any advice on how to implement this functionality would be greatly appreciated.
Thanks in advance.

This behavior is probably caused by Twitter. In fact, it should happen on many other sites as well (Facebook and similar). To prevent malicious sites from stealing user passwords, the login page detects if it is displayed in an inline frame (IFRAME element, such as the one used in RadWindow) and if it is, the whole browser window is redirected. This way they can ensure that no rogue JavaScript will be running while the user enters their username and password.

Twitter has properly created their authorization page to prevent cross-site scripting attacks, which means you can't embed it in a frame, or javascript pop-up.
Unfortunately, the only other way to "authorize" is a full redirect, or with a pop-up window, assuming your users allow pop-up windows.
The problem with the pop-up is that you then need a way to "close" it when twitter redirects back to your application. It can be done, but it's a bit tricky to do and who knows if it'd work in multiple browsers. Best to just let your site do a full redirect for now.

Related

Angular detect when user leaves application

I've had a look around but I cannot seem to find the answer. Due to the "security" team at my company, they have stated that a website we have recently built, when a user navigates away from the website, we need to destroy the session.
Currently it's using a JWT token stored in the local browsers session, so when the user closes the browser the token will be destroyed.
So I know I can hook into window.onbeforeunload but this would also happen if the user refreshes the page, I don't think that would be acceptable behaviour for a website (refresh the page and now you are logged out). And there is also the Reload Site? popup that appears.
Does anyone know a way to detect that the user is navigating away from the angular app opposed to just reloading the page?

UI Redress and automated clicking

There is one thing I don't understand about the UI Redressing attack. Basically what I understand is:
1- The user clicks on a external URL
2- The attackers webpage opens. Inside this webpage, the original webpage is loaded as an iframe in a transparent manner.
3- As the user interacts with the attackers webpage he will actually be interacting with the transparent iframe.
Here is where I am confused. Why does the user even need to interact with the loaded webpage? Once the inner iframe is loaded you can have a javascript code to automate clicks on the page. Since this is all happening on the victims browser the target site will receive the victims session cookie and assume everythings fine.
Am I missing something here? Thanks in advance
Note: Please note this is a UI Redressing attack also known as click-jacking. This is different than phishing attacks.
The user wants to interact with the loaded webpage, because the user is not aware they are visiting a fake (inauthentic) page. I'm not 100% certain about the javascript, but I'm pretty sure the attacker wants to log the user's activity (e.g, keystrokes for a password).

What is the reason for why sites when opening a user link, open a page and then redirects?

For example Facebook redirects if you click on a link one of you friends shared.
Is there a safety reason that I should know about for my website? Thanks.
They are using this to track, you can also use it to track traffic - there shouldn't be any real security issues with this, its just the way Facebook directs traffic to sites.
One reason is that the user doesn't lose their place on the site just because they are going to another web page. It's a usability best practice to have any link that goes to a site other than your own, to open a new window or tab.
Security-wise, the site session on the new window is wiped when a new window is created, so if the link is malicious it cant sniff out your authentication cookies or other information.

Bookmarklet to "like" a page

I would like a javascript bookmarklet that will "click" on the facebook "like" button on my web site. Its for an automated program so it can automatically have that user like the home page of my program.
Is this possible?
This is going to be impossible due to the Single Origin Policy that will not allow you to simulate a click in an iframe that does not belong to your domain (or make a cross-domain request to Facebook, for that matter).
And thank Goodness! What you are trying to do sounds like something Facebook (or any other provider of such buttons) would want to prevent.

Display popup without security warning

I use Silverlight and I'm trying to get some data to the user side. I can easily display PDF file with an <embed> tag in the browser.
However, I also have to be able to save files form the server. I tried the SaveFileDialog from Silvelright but it doesn't allow setting the file name (which is an issue).
I tried setting a hidden <iframe> source to the URL from the server but that triggers a security warning and it's not good either (there would be too many clueless users calling because it doesn't work).
I tried calling window.open to trigger a new popup set to the URL. That works OK but again there's a security warning.
Is it possible to get rid of that security message? I know it's possible in Javascript.
An exampel is on the site
http://livetecs.com
(go to the live demo, then project manager and open a report in a new window: no security warning!)
How do they achieve that behavior?
If there's any other way to get my reports saved Silverlight I'd be very interested to hear about them.
EDIT: The warning I'm talking about is the Pop-up blocked. To see this pop-up or additional options click here.. banner appearing on top of the page.
Cheers.
There is no way around the pop up blocker when you open up a window without a user action. If there was a way around that, than the pop up blockers would be useless.
Only way to avoid the security message is to have the users add your site to their safe list.
OK, after much fiddling I came accross the Silverlight built-in pop-up window that I couldn't use before.
The only limitation is that it can only be triggered by a user action (which is fine in this context() PopUpWindow at MSDN
It fits the bill perfectly and I couldn't use it before because I wanted to pre-generate the report files before opening the pop-up (and thus I wasn't in a user event context anymore).
I'm going to create a report generation page that will display a status message and then show the report (I haven't worked out yet how I'll do that though).

Categories