Comments (7)
If the route to mount a content provider is protected by some other means, such as OAuth header validation, there is no need to challenge the consumer for a secret.
Technically all our apps are protected by other means... The question is once the content has been loaded, if I navigate away and go to a malicious site, are they able to to embed this app? How are you preventing that from happening?
from xfc.
If the initial page loads and authorizes itself to be displayed, how would the existing consumer challenge eliminate the ability to navigate to other page within that iFramed window?
from xfc.
Talked through with @slor on idea as well. If the challenge is not provided that any consumer would be able to embed the content of the document served by the provider; however, in this case the document is not even served if the cloud oauth validation (server side) does not succeed. So for a content provider to ignore the challenge could open themselves up to click-jacking only if they do not protect them in some other secure fashion. Maybe that was more of the question being asked.
from xfc.
@whitehatguy, thinking through this security idea, wanted to get your thoughts to if we're opening any holes?
from xfc.
To add a bit more information, what we have discovered is that the communications across the iframe are delayed and sporadic. I've seen the challengeConsumer take anywheres from ~100 ms to upwards of 5+ seconds. Only speculating but possible because of the event loop restrictions within the client consumer. Looking for ways to improve the performance.
from xfc.
FWIW this.authorizeConsumer()
is a public method you can call yourself. Though I recommend against it cause I'm not confident you're preventing any UI redress attacks.
from xfc.
Fixed in #12
from xfc.
Related Issues (17)
- Add ability to pass attributes to consumer mount method for setting on iframe HOT 3
- Unable to access frame in orion-mpage-component HOT 4
- Consumer iframe not working on Firefox/Safari HOT 2
- Add trigger for iframe unloading (beforeunload event) HOT 1
- Add ability to 'fire and wait' a message HOT 1
- Consumer trigger to content provider not functioning HOT 1
- Update unload listener to handle only when a page is unloaded HOT 1
- Update Dependencies HOT 2
- Unable to get property 'ADDITION' of undefined or null reference HOT 4
- Docs link to deprecated iframe attribute `allow`
- Slow loading images not accounted for in resize calculation
- Throw Error When Provider is not Initialized
- Getting script error 'hasAttribute' method or property undefined in IE7 HOT 1
- Conflict with F-Twelve tool HOT 1
- Allow the consumer to skip the mounting lifecycle so that he can reuse the same frame HOT 4
- archive this project HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from xfc.