简体繁体 English

在弹出窗口中停止Javascript重定向

[英]Stop Javascript Redirect in Pop-Up Window

原文 2010-07-29 17:03:42 9 2 javascript/ asp.net/ twitter/ oauth/ telerik

I'm using the Telerik RadWindow control in one of my applications. 我在一个应用程序中使用了Telerik RadWindow控件。 When a user wants to authorize Twitter for the application the window displays the OAuth dialog for Twitter. 当用户想要为应用程序授权Twitter时，该窗口将显示Twitter的OAuth对话框。

However, each time I display the pop-up for Twitter OAuth, or even just the plain Twitter page, the entire browser is redirected. 但是，每次我显示Twitter OAuth的弹出窗口，甚至仅显示纯Twitter页面时，整个浏览器都会被重定向。

The control works just fine when the URL is pointed at a site other than Twitter. 当URL指向Twitter以外的站点时，该控件可以正常工作。 I'd like to see if I can block that redirect, or if perhaps there's an easier way to accomplish the OAuth confirmation. 我想看看是否可以阻止该重定向，或者是否有更简单的方法来完成OAuth确认。 Any advice on how to implement this functionality would be greatly appreciated. 任何有关如何实现此功能的建议将不胜感激。

Thanks in advance. 提前致谢。

2 个解决方案

This behavior is probably caused by Twitter. 此行为可能是由Twitter引起的。 In fact, it should happen on many other sites as well (Facebook and similar). 实际上，它也应该发生在许多其他网站（Facebook和类似网站）上。 To prevent malicious sites from stealing user passwords, the login page detects if it is displayed in an inline frame (IFRAME element, such as the one used in RadWindow) and if it is, the whole browser window is redirected. 为了防止恶意站点窃取用户密码，登录页面会检测登录页面是否显示在嵌入式框架（IFRAME元素，例如RadWindow中使用的元素）中，如果是，则重定向整个浏览器窗口。 This way they can ensure that no rogue JavaScript will be running while the user enters their username and password. 这样，他们可以确保在用户输入用户名和密码时不会运行恶意JavaScript。

Twitter has properly created their authorization page to prevent cross-site scripting attacks, which means you can't embed it in a frame, or javascript pop-up. Twitter已正确创建了他们的授权页面，以防止跨站点脚本攻击，这意味着您不能将其嵌入框架或javascript弹出窗口中。

Unfortunately, the only other way to "authorize" is a full redirect, or with a pop-up window, assuming your users allow pop-up windows. 不幸的是，“授权”的唯一另一种方法是完全重定向，或者使用弹出窗口（假设您的用户允许弹出窗口）。

The problem with the pop-up is that you then need a way to "close" it when twitter redirects back to your application. 弹出窗口的问题是，当Twitter重定向回您的应用程序时，您然后需要一种“关闭”它的方法。 It can be done, but it's a bit tricky to do and who knows if it'd work in multiple browsers. 可以做到，但是这样做有点棘手，谁知道它是否可以在多种浏览器中使用。 Best to just let your site do a full redirect for now. 最好现在就让您的网站进行完全重定向。