According to the MSAL documentation, the redirect method is recommended if you want to support IE or if users have browser constraints or policies where pop-ups windows are disabled.
You can't use both the pop-up and redirect methods in your
application. The choice between a pop-up or redirect experience
depends on your application flow:
If you don't want users to move away from your main application page during authentication, we recommended the pop-up method. Because the authentication redirect happens in a pop-up window, the state of the main application is preserved.
If users have browser constraints or policies where pop-ups windows are disabled, you can use the redirect method. Use the redirect method with the Internet Explorer browser, because there are known issues with pop-up windows on Internet Explorer.
Based on that, I can't imagine why anyone would want to use the popup experience since it may block users who have popups disabled from signing in. Seems like this is available only for web apps that are run in a very controlled environment. Is there something I'm missing?
One common reason to choose popups over redirects is that redirects can only be used in the top frame of your application. If your application is rendered in an iframe, popups are your only option for interactive auth. Besides that limitation, it's mostly a UX decision.
Related
Apart from all the other typical security best practices I'm wondering about this, since I lately read some articles talking about how browser extensions can spy anything their user does. So that we shouldn't trust them.
Therefore in order to give users and additional layer of protection should I process all users credential and sensitive info inside an iframe inside my webpages?
Can content inside a sandboxed iframe be read/spied by browser
extensions?
Yes
Could I use iframe to secure user credentials?
Quick answer, no.
When a user installs a chrome extension the extension can do basically anything in the website to access the user credentials. The extension has also access to the iframes that the page generates.
My proposed solutions to overcome this two issues and keep the website feel "secure" are the following:
If the end goal is to secure the content that your user will put in the website, and by no mean you want to let the user put content if there are other kind of extensions running in the page, what you can put is some kind of pop up in the page blocking the access to the user until he is accessing the website without extensions.
Another solution you could propose to the user is to go incognito mode, as there are many options to disallow extensions in incognito without having to force him to uninstall all of the extensions that he has on his browser. This could also make less users leave your page, as if you force him to uninstall of the extensions on his browser it might make him leave your page if it's not a clear enough reason for him.
If you do know which are the extensions that shouldn't be blocked or prevented because they are harmful or known to have some kind of shady behaviour, what you can do is checkout if the user has them installed with this solution Checking if user has a certain extension installed and then print a message to him saying he can't continue until he uninstalls those extensions.
I have a Java web application in domain A (that we control). This application displays another website located in domain B (which we do not control) in an iframe. This external website was recently updated to require users to log on before they can see content. They provided us with a URL that will automatically log our users into their site. This URL works when we navigate directly to it in Internet Explorer (we get automatically logged in etc).
However, apparently there was an update to Internet Explorer so that cross domain communication is not allowed. So now when the login URL is displayed in the iframe, it does not successfully log on (I am guessing its being blocked from creating security cookies).
Also, if we browse to the URL directly and get the security in place, then any iframe elements of the site will not work (I am guessing it is being blocked from accessing security cookies).
Does anyone know of a work around for this? Changing the security level on Internet Explorer is not an option (it is controlled by our company's system administrator). Internet Explorer is also our company standard, so we cannot change that (even though it works fine in Firefox).
When you say "elements of the site will not work" what precisely does that mean?
"Cross-domain" interactions have always been restricted in all browsers. This is called "same-origin-policy" and it's the foundation of web security. The "update" to Internet Explorer you're referring to restricts IE such that a webpage on Domain A can no longer navigate a subframe that is inside a page from Domain B. That restriction has been present in IE for 7+ years and is in all browsers. This restriction is not causing your problem.
This most likely problem here is that the subframe fails to set a P3P header that would permit its cookies to be stored. There are perhaps 30 duplicates on that issue on StackOverflow.
To determine if this is what you're encountering, try this:
In IE, click Tools > Internet Options > Privacy tab.
Set the slider to Accept all
Clear your cookies
Restart the browser and retry the scenario.
If this change solves the problem, then the fix is easy: configure the page which is being framed to specify its cookie policy using a P3P response header.
If this doesn't solve the problem, please update the question with more information that would allow others to reproduce it (e.g. traffic logs, live site URL, etc).
It turns out that this was causes by the login site not being on the trusted sites list. Having security add it as a trusted site and pushing that to all company computers solved the issue.
I should note, I'm not a chrome extension expert. However, I'm looking for some advice or high-level solution to a security concern I have with my chrome extension. I've searched quite a bit but can't seem to find a concrete answer.
The situation
I have a chrome extension that needs to have the user login to our backend server.
However, it was decided for design reasons that the default chrome popup balloon was undesirable. Thus I've used a modal dialog and jquery to make a styled popup that is injected with content scripts.
Hence, the popup is injected into the DOM o the page you are visiting.
The Problem
Everything works, however now that I need to implement login functionality I've noticed a vulnerability:
If the site we've injected our popup into knows the password fields ID they could run a script to continuously monitor the password and username field and store that data. Call me paranoid, but I see it as a risk. In fact, I wrote a mockup attack site that can correctly pull the user and password when entered into the given fields.
My devised solution
I took a look at some other chrome extensions, like Buffer, and noticed what they do is load their popup from their website and, instead, embed an iFrame which contains the popup in it. The popup would interact with the server inside the iframe.
My understanding is iframes are subject to same-origin scripting policies as other websites, but I may be mistaken.
As such, would do the same thing be secure?
TLDR
To simplify, if I embedded a https login form from our server into a given DOM, via a chrome extension, are there security concerns to password sniffing?
If this is not the best way to deal with chrome extension logins, do you have suggestions on what is? Perhaps there is a way to declare text fields that javascript can simply not interact with? Not too sure!
Thank you so much for your time! I will happily clarify anything required.
The Same origin policy does indeed protect the contents of the iframe from the main page.
However. There's no way for the user to know whether the iframe in the page belongs to your extension or not. A rogue page could copy your design and impersonate your extension, and ultimately steal the credentials.
The only secure way to get the user to input credentials is through a separate window, popup or tab.
Chrome offers an API to open a window with desired properties, which should be sufficiently flexible to meet your design requirements. See this example, which is also about getting a credentials in a popup window: https://stackoverflow.com/a/10341102/938089
We need to force a particular web application to launch in the Notes browser regardless of the browser option the user has chosen. This also ideally needs to be launched from some LotusScript code.
I haven't been able to find a way of doing it so any suggestions would be appreciated.
There's unfortunately no way to force the Notes browser via LotusScript. However, you could look into using policies to restrict the user's default browser: http://www-10.lotus.com/ldd/dominowiki.nsf/dx/03062008102616AMWEBL4Y.htm
If it is possible, I suggest taking a different approach. This likely can't be solved via a technical solution (i.e. the user could always find a way to open the URL in a non-Notes browser if they are motivated to do so). Therefore I would make the recommendation to the user that the application only works via the Notes browser, and leave it up to them to do the right thing. Do that either by training, or putting a message on the web application, etc.
Another idea, if you have control over the web application, is that you could check the browser's User Agent for the keyword "Lotus Notes", and disallow anyone non-Notes browsers from using the application.
Oddly enough I have the issue you want to emulate happening on a Mac. I am not sure at this time if this is expected behavior though (still investigating).
I have a database rendering an XPage on the client. The link is in a rich text field. When the link is clicked it opens in the same tab in the Notes client, instead of the system browser (which is set in the Notes client).
Using Call notesUIWorkspace.URLOpen( Url$, reload%, urlList%, charset$, webusername$, webpassword$, proxywebusername$, proxywebpassword$, notesRetriever )
specifying true for notesRetriever, will open the browser page IN notes (whatever user config).
Don't expect too much of this since this will require the retriever process to run on the Domino server.
I bet your application won't work using a reriever.
I am developing a Drupal site, within which is a page with an iframe, displaying an external SQL Reporting server driven site.
This iframed site is protected on by HTTP authentication. In all browsers, apart from Chrome, when the page is viewed, the browser driven login box pops up.
In Chrome (Windows & OS X), no login box appears and I get an immediate 401 error from the SQL Reporting Server. I've cleared cache's and even tried on a fresh chrome installation on a VM.
The above method works fine on the clients existing live site, which is ASP driven. Other than CMS technology, the only other obvious difference is domains.
The working live site is referencing a sub domain of itself in the iframe. The development site is referencing a completely different domain.
I've tried /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome -–allow-cross-origin-auth-prompt, which seems to make no difference.
Does Chrome have much tighter cross domain login rules? Or am I missing something else?
According to the devs at chromium, this was an intentional change to protect against phishing attacks. If you say the prod sites reference the same domain, you shouldn't have any issues.
http://code.google.com/p/chromium/issues/detail?id=91814
To switch the (in my mind stupid) security-feature off set Browser flag:
--allow-cross-origin-auth-prompt
In Linux close all Browser Instances and type in terminal:
chromium-browser --allow-cross-origin-auth-prompt
For Windows, Mac, Android... take a look here: http://www.chromium.org/developers/how-tos/run-chromium-with-flags
See http://www.chromium.org/administrators/policy-list-3#AllowCrossOriginAuthPrompt for the policy that can be set versus using flags.
On Windows this can be set via the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome. See http://www.chromium.org/administrators/policy-templates for more information.