与iFrame互动
[英]Interacting with iFrames
问题描述
I have a scenario where a user visits my site. 
我有一个用户访问我的网站的情况。 I'm going to use an iFrame to show another site on another domain (not in my control) in that iFrame. 我将使用iFrame在该iFrame中显示另一个域(不在我的控件中)的另一个站点。 Now this site will show a login page. 现在,该站点将显示一个登录页面。 customer will login into this page. 客户将登录此页面。 If the login is successful, i want to disable/blur the iFrame and show some fields on my page. 如果登录成功,我想禁用/模糊iFrame并在页面上显示一些字段。 Upon entry of the data on my site i'll be enabling the iframe and letting the user to carry on. 在我的网站上输入数据后,我将启用iframe并让用户继续使用。
My question is: How can i capture the login successful event in the iFrame? 我的问题是:如何捕获iFrame中的登录成功事件?
Side question: Is there a better way of doing this than using the iFrame? 附带问题:是否有比使用iFrame更好的方法?
2 个解决方案
解决方案1
1 2014-01-15 06:52:42
You want to know when the user has logged in on another site and imitate logging in behavior. 您想知道用户何时登录另一个站点并模仿登录行为。 What you describe is against the same-origin policy and an actual security break ... 您所描述的是违反原产地政策和实际的安全突破 ...
This could be done properly, without rising security concerns, if the external site would shared login related information (for example through OAuth ). 如果外部站点可以共享与登录相关的信息 (例如,通过OAuth ), 则可以正确地进行此操作而不会引起安全性问题。 Then you could just popup the external site's login page. 然后,您可以弹出外部站点的登录页面。 Your user would enter his/her credentials and you would get proper access to its login action status. 您的用户将输入他/她的凭据,您将获得对其登录操作状态的适当访问权限。
Supposing that the external application is facebook, you could find extra information and examples on this page . 假设外部应用程序是facebook,则可以在此页面上找到更多信息和示例。 An OAuth tutorial for beginners could also be useful. 针对初学者的OAuth教程也可能会有用。
Hope I helped! 希望我能帮上忙!
解决方案2
0 2014-01-15 06:58:13
I am not 100% sure if the below is what you require but you can try out the following: 我不确定100%是否满足以下要求,但可以尝试以下方法:
- Below is a quick example of XFO detection, without any Login Detection checks, on a few websites. - 以下是一些网站上XFO检测的快速示例,其中没有任何登录检测检查。
<* script src=”http://ajax.googleapis.com/ajax/libs/dojo/1.7.2/dojo/dojo.js”><* /script>
<* script>
var urls = [
'http://www.wikipedia.org/',
'http://ha.ckers.org/',
'http://www.google.com/',
'http://www.facebook.com/',
'https://github.com/',
'http://daringfireball.net/',
];
function detect() {
dojo.forEach(urls, function(url) {
var iframe = dojo.create(“iframe”, { src: url, id: url });
dojo.attr(iframe, “style”, {display: ‘none’});
dojo.connect(iframe, “onload”, function() {
dojo.destroy(iframe);
});
dojo.place(iframe, dojo.body());
setTimeout(function () {
var obj = dojo.byId(url);
if (obj) {
dojo.destroy(iframe);
var entry = dojo.create(“li”, null, dojo.body());
entry.innerHTML = “Yes: ” + url;
} else {
var entry = dojo.create(“li”, null, dojo.body());
entry.innerHTML = “No: ” + url;
}
}, 3000);
});
}
<* /script>
For more methods and explanation of the above visit - http://blog.whitehatsec.com/i-know-what-websites-you-are-logged-in-to-login-detection-via-csrf/ 有关上述方法的更多方法和说明,请访问-http://blog.whitehatsec.com/i-know-what-websites-you-are-logged-in-to-login-detection-via-csrf/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.