Redirecting to OAuth from within frame causes debugging dialog box to pop up

12 posts / 0 new
Last post
Jason Collins's picture
Joined: 2010-01-17
Jan 17, 2010
Redirecting to OAuth from within frame causes debugging dialog box to pop up

We redirect the user to the OAuth auth screen from within a frame. The auth screen correctly detects the frame and breaks it, but in before doing so it pops up a dialog box that says:Press OK to continue... (framed authorization page detected)This seems like debugging output to me. Can it be removed?j

Anonymous (not verified)
Jan 17, 2010

Consider this alert a heavy suggestion not to use frames of any kind to load our Authorization flow, it's forbidden.Taylor

Jason Collins's picture
Joined: 2010-01-17
Jan 17, 2010

Thanks for the quick reply Taylor.We're definitely not doing anything malicious and we're glad that the LinkedIn auth screen breaks out of the frameset (we reconstruct it on return).Can you tell me more about why starting the process from within a frame is forbidden?Thanks,j

Anonymous (not verified)
Jan 17, 2010

This is Lucian. Taylor and I both work at LinkedIn on the platform.Usually when you present the user agreement screen in some sort of frame, just the HTML appears to the user. They have no way to know that the page actually came from linkedin.com. You could be constructing and displaying that page to fish the email and password from the user. They couldn't know.If the page is displayed in a browser window, then the browser will have the URL address bar and users who care can verify that they are actually on linkedin.com. While not very many users understand the importance of this, its important to keep following the best practices in hopes that more do into the future.You can read the requirement in the Platform Guidelines doc.

Jason Collins's picture
Joined: 2010-01-17
Jan 17, 2010

Thanks Lucian,I've read the document now.Please note that we are not attempting to show the agreement screen in a frameset. We want the LinkedIn agreement screen to be top-level. We are happy with the way that the agreement screen breaks our frameset and makes itself top-level.All I was wondering about is if the pop-up dialog box could be turned off when this occurs.More info: we write a widget that encourages people to OAuth with LinkedIn. That widget is framed in to other pages. It turns out that it is more convenient for us to have LinkedIn to break our frameset than it is for us to use target="_top". We can work around it using other techniques, though everything works out fine if the pop-up dialog box could be turned off. Any possibility of this happening?Hope I'm making more sense,j

Anonymous (not verified)
Jan 19, 2010

The alert message is not a debugging message, it's used to block javascript usage while the page loads to prevent an attacker from subverting the frame busting.There appear to be other techniques here:http://coderrr.wordpress.com/2009/06/18/anti-anti-frame-busting/We'll review them and see what we can do.  For now you'll have to live with the alert message.

Jason Collins's picture
Joined: 2010-01-17
Jan 19, 2010

Thanks guys.BTW, Tw*tter doesn't pop a dialog box in this scenario, so either they are vulnerable to the issue you raise, or they are using some other technique. Just mentioning in case it helps you guys.j

Anonymous (not verified)
Jan 19, 2010

The best solution to this is not to load the agreement screen within a frame. Using target="_top" on your link to the agreement screen and using a callback on your own domain means that you can pop up the agreement screen in its own window, have it redirect back to your domain, and then use Javascript to close the pop-up window when the process is complete (since it will now be loaded on your domain and thus allowed to closed via Javascript).Taylor

Jason Collins's picture
Joined: 2010-01-17
Jan 19, 2010

If only I could convince our UX Designer to allow pop-ups...

Jason Collins's picture
Joined: 2010-01-17
Jan 19, 2010

I found another way to work around this (using cookies to store state instead of the url).Upshot is that I'm using target="_top" now and thus no popup.Thanks for discussing with me. Keep up the great work guys!j

Neil Camm's picture
Joined: 2010-09-01
Sep 1, 2010

I get why you want to break fames, but I am trying to use a Telerik RAD Window (they create iframes) to display the authentication etc.