We redirect the user to the OAuth auth screen from within a frame. The auth screen correctly detects the frame and breaks it, but in before doing so it pops up a dialog box that says:Press OK to continue... (framed authorization page detected)This seems like debugging output to me. Can it be removed?j
Thanks for the quick reply Taylor.We're definitely not doing anything malicious and we're glad that the LinkedIn auth screen breaks out of the frameset (we reconstruct it on return).Can you tell me more about why starting the process from within a frame is forbidden?Thanks,j
This is Lucian. Taylor and I both work at LinkedIn on the platform.Usually when you present the user agreement screen in some sort of frame, just the HTML appears to the user. They have no way to know that the page actually came from linkedin.com. You could be constructing and displaying that page to fish the email and password from the user. They couldn't know.If the page is displayed in a browser window, then the browser will have the URL address bar and users who care can verify that they are actually on linkedin.com. While not very many users understand the importance of this, its important to keep following the best practices in hopes that more do into the future.You can read the requirement in the Platform Guidelines doc.
Thanks Lucian,I've read the document now.Please note that we are not attempting to show the agreement screen in a frameset. We want the LinkedIn agreement screen to be top-level. We are happy with the way that the agreement screen breaks our frameset and makes itself top-level.All I was wondering about is if the pop-up dialog box could be turned off when this occurs.More info: we write a widget that encourages people to OAuth with LinkedIn. That widget is framed in to other pages. It turns out that it is more convenient for us to have LinkedIn to break our frameset than it is for us to use target="_top". We can work around it using other techniques, though everything works out fine if the pop-up dialog box could be turned off. Any possibility of this happening?Hope I'm making more sense,j
The alert message is not a debugging message, it's used to block javascript usage while the page loads to prevent an attacker from subverting the frame busting.There appear to be other techniques here:http://coderrr.wordpress.com/2009/06/18/anti-anti-frame-busting/We'll review them and see what we can do. For now you'll have to live with the alert message.
The best solution to this is not to load the agreement screen within a frame. Using target="_top" on your link to the agreement screen and using a callback on your own domain means that you can pop up the agreement screen in its own window, have it redirect back to your domain, and then use Javascript to close the pop-up window when the process is complete (since it will now be loaded on your domain and thus allowed to closed via Javascript).Taylor
I get why you want to break fames, but I am trying to use a Telerik RAD Window (they create iframes) to display the authentication etc.
Consider this alert a heavy suggestion not to use frames of any kind to load our Authorization flow, it's forbidden.Taylor