Interacting with iFrames

Question

I have a scenario where a user visits my site. I'm going to use an iFrame to show another site on another domain (not in my control) in that iFrame. Now this site will show a login page. customer will login into this page. If the login is successful, i want to disable/blur the iFrame and show some fields on my page. Upon entry of the data on my site i'll be enabling the iframe and letting the user to carry on.

My question is: How can i capture the login successful event in the iFrame?

Side question: Is there a better way of doing this than using the iFrame?

Answer 1

You want to know when the user has logged in on another site and imitate logging in behavior. What you describe is against the same-origin policy and an actual security break ...

This could be done properly, without rising security concerns, if the external site would shared login related information (for example through OAuth ). Then you could just popup the external site's login page. Your user would enter his/her credentials and you would get proper access to its login action status.

Supposing that the external application is facebook, you could find extra information and examples on this page . An OAuth tutorial for beginners could also be useful.

Hope I helped!

Answer 2

I am not 100% sure if the below is what you require but you can try out the following:

- Below is a quick example of XFO detection, without any Login Detection checks, on a few websites.

<* script src=”http://ajax.googleapis.com/ajax/libs/dojo/1.7.2/dojo/dojo.js”><* /script>
<* script>
var urls = [
'http://www.wikipedia.org/',

'http://ha.ckers.org/',

'http://www.google.com/',

'http://www.facebook.com/',

'https://github.com/',

'http://daringfireball.net/',

];

function detect() {
dojo.forEach(urls, function(url) {
var iframe = dojo.create(“iframe”, { src: url, id: url });
dojo.attr(iframe, “style”, {display: ‘none’});
dojo.connect(iframe, “onload”, function() {
dojo.destroy(iframe);
});

dojo.place(iframe, dojo.body());
setTimeout(function () {
var obj = dojo.byId(url);
if (obj) {
dojo.destroy(iframe);
var entry = dojo.create(“li”, null, dojo.body());
entry.innerHTML = “Yes: ” + url;
} else {
var entry = dojo.create(“li”, null, dojo.body());
entry.innerHTML = “No: ” + url;
}
}, 3000);
});
}
<* /script>

For more methods and explanation of the above visit - http://blog.whitehatsec.com/i-know-what-websites-you-are-logged-in-to-login-detection-via-csrf/