We redirect the user to the OAuth auth screen from within a frame. The auth screen correctly detects the frame and breaks it, but in before doing so it pops up a dialog box that says:Press OK to continue... (framed authorization page detected)This seems like debugging output to me. Can it be removed?j
Redirecting to OAuth from within frame causes debugging dialog box to pop up
Consider this alert a heavy suggestion not to use frames of any kind to load our Authorization flow, it's forbidden.Taylor
Thanks for the quick reply Taylor.We're definitely not doing anything malicious and we're glad that the LinkedIn auth screen breaks out of the frameset (we reconstruct it on return).Can you tell me more about why starting the process from within a frame is forbidden?Thanks,j
This is Lucian. Taylor and I both work at LinkedIn on the platform.Usually when you present the user agreement screen in some sort of frame, just the HTML appears to the user. They have no way to know that the page actually came from linkedin.com. You could be constructing and displaying that page to fish the email and password from the user. They couldn't know.If the page is displayed in a browser window, then the browser will have the URL address bar and users who care can verify that they are actually on linkedin.com. While not very many users understand the importance of this, its important to keep following the best practices in hopes that more do into the future.You can read the requirement in the Platform Guidelines doc.
Thanks Lucian,I've read the document now.Please note that we are not attempting to show the agreement screen in a frameset. We want the LinkedIn agreement screen to be top-level. We are happy with the way that the agreement screen breaks our frameset and makes itself top-level.All I was wondering about is if the pop-up dialog box could be turned off when this occurs.More info: we write a widget that encourages people to OAuth with LinkedIn. That widget is framed in to other pages. It turns out that it is more convenient for us to have LinkedIn to break our frameset than it is for us to use target="_top". We can work around it using other techniques, though everything works out fine if the pop-up dialog box could be turned off. Any possibility of this happening?Hope I'm making more sense,j
Thanks guys.BTW, Tw*tter doesn't pop a dialog box in this scenario, so either they are vulnerable to the issue you raise, or they are using some other technique. Just mentioning in case it helps you guys.j
I found another way to work around this (using cookies to store state instead of the url).Upshot is that I'm using target="_top" now and thus no popup.Thanks for discussing with me. Keep up the great work guys!j