I have an iframe that loads an external page, that needs to be logged to make appear what I want. Actually, if i set the iframe the normal way, the iframe loads the external-domain-login page. What I actually have is something like this:
What I need to do is to set some cookies for that source to make pretend the external domain I'm "logged". That can be done (or what I think this can be done) is setting to the request the cookies that the login response gave me.
I'm actually able to get those cookies, but don't know how to set them to the URL from the iframe.
Thoughts?
Thanks!
If the iframe is on a separate domain, you can't access it directly via javascript from your other domain so you won't be able to directly transfer your cookie from domain1 to domain2 using javascript.
If you control code in both domains, then there are some workarounds. Here's one method that uses a single place to login and the login credential is transferred via URL parameters: Cross Domain Login - How to login a user automatically when transferred from one domain to another
You could conceivably use the URL transfer mechanism by logging in on the first domain and then setting the .src URL in the iframe to have the login credential in the URL. When the second domain loaded in the iframe, it would see the login credential in the URL, grab it, turn it into a cookie value that it wrote on itself and the refresh itself (thus now looking logged in). You will obviously need to control javascript in both domains to use either of these techniques because one domain's javascript can't put a cookie into the other domain directly.
Another way that two cooperating domains can communicate is with window.postMessage() so the login credentials could be sent to the iframe window. It's javascript would have to receive the message and turn it into a cookie and then refresh it's page so that the server saw the login cookie on the 2nd domain.
Related
I have an iframe, says it's hosted at example.com, and I want siteA.com and siteB.com to have the same cookie, I plan to embed iframe (example.com) into siteA and siteB, is that possible? As I know cookie is per domain only.
It depends on if you control siteA and siteB. If you cannot make changes to them, this is not possible.
Otherwise, you can leverage two way iframe communication to send siteA / siteB a message with the cookie value, which you then write.
I'm developing a web app using Express on Node. I'm trying to implement a proxy login functionality where an user is directly logged in and redirected to another site after he logs into to my site.
In my routing function I'm writing the following code
res.cookie('fanws', 'value' );
res.redirect('http://hostname/path'); // another site
I used the debugger in chrome and saw that the cookie is not getting added in the redirected page.
I'm running the app on localhost and the site which i'm redirecting to is hosted on another server on local network.
What should I do to add the cookie on the redirected path?
In a nutshell, you can't set a cookie in a browser or read a cookie for a site that you do not control the server for or have your own client code in that page. The cookie system is designed that way on purpose for security reasons. So, from a page or server for http://www.domain1.com, you cannot read or set cookies for some other domain.
If you have code in the pages of both domains, then you can pass some info to the second page (most likely as a query parameter) that tells the code in the redirected page to take some action (like set a cookie), but you must control the Javascript or server in that second page in order to be able to do that.
The cookie in your nodejs code goes on the current request/response which means it is associated with that domain in the browser when the response from the current request is processed by the browser.
res.redirect(...) returns a 302 response with a new URL as the response to the current request. The browser then sees this response code and makes a new web request to the new page. You cannot set cookies from the server for that new domain unless you have the server for that domain also. This is a fundamental aspect of cookie security. Cookies can only be accessed via Javascript in the browser from the page in the same origin as the cookie belongs and servers can only set cookies for the particular origin in the particular request that they are processing.
#jfriend00 nice explanation.
#Kiran G you can pass in query param in the same redirect, no need to set cookies in express just sent in query param as below.
i.e.
res.redirect(`http://hostname/path?fanws=${value}`);
Is it possible to make a cross-domain request from a Chrome extension without statically listing the domain in manifest.json (presumably by dynamically prompting the visitor for permission)?
For a use case, suppose I wanted to let visitors supply an RSS feed address, which I'd then query as part of my application's dashboard screen. I cannot list that domain in manifest.json since I clearly can't know the domain until the visitor enters it at runtime.
I'm hoping there's some mechanism for dynamically requesting access to a domain ("This extension wants to browse your data on www.example.com; do you want to allow this?")
Any ideas?
I think you'd need to specify a match pattern of: http://*/*
I'm trying to understand the principle behind the Facebook plugins.
As I understood they set a cookie when you login, and then whenever you visit a website with their plugin installed, they are abel to recognize your userId..
I'm trying to do it on my own on a couple of different domains I have, but I don't know where to start actually...
I set a cookie TEST when I visit site1.com with a random id value
but then when i visit site2.com what should I do? I can I read the previous cookie that contains my id?
When you set a cookie in site1.com, whenever the visitor visits site1.com, the cookie would be sent to this website. There is no involvement of site2.com at all. site.com can not and should not be able to receive the cookie that was set by site1.com.
If you are designing a page such that the user visits site2.com and the web page at site2.com contains an IFRAME that loads site1.com, then the cookie that was set by site1.com earlier would be automatically sent to site1.com when it tries to load it in this IFRAME.
Also, note that these things are usually not done with JavaScript. Some sort of server side scripting such as PHP, ASP.NET, Django, etc. is used to set and read cookies sent by the client. Setting a cookie in the user's browser involves adding a 'Set-Cookie' header to the HTTP response generated by the server-side script. In PHP this can be done using setcookie(). Once the cookie is set in the browser, when the user visits the same website again before the cookie expires, the browser sends the cookie as a 'Cookie' header. The server-side script can now read this cookie. In PHP, the cookies are available in $_COOKIE variable.
I have an application where I am displaying some stuff in javascript modals using jquery.
It requires the user to login for certain flows; but the user never leaves the modal.
So here is what we do currently.
During user flow if the user needs to be logged in, we hide the current div and show a login div
Keep a hidden iframe with Source link as that of our SSO server.
Once user submits the form, we submit the hidden iframe to the SSO server
If user gets logged in we proceed with the flow.
Problem is when there is error logging in. We need to get the error codes from the hidden iframe of the page; but because we don't control the content inside iframe, and it's returned by SSO server; we don't know how to read it since it's cross domain.
Any insights?
So long as there is not client side script being executed from the SSO party you do not need the iframe. The point of using an iframe for security is to prevent AJAX methods from ignoring single origin policy and circumventing SSL encryption. The answer is to remove the iframe. Request the SSO data from the server side and send it to the client from your server as the page is built.
You can't get around x-domain restrictions unless you use the jsonp protocol.
Could the user simply see the error response on page? Why do you have the iframe hidden atm?
Are you trying to silently log in the user to another system using the iframe technique?
Even though that might work on most browsers - some browsers won't pass cookies in i-frames - making this approach not a good broad audience solution.
Let me know if I can clarify.
Use JSONP to callback the function you prevented in your website, then in the iframe, you just need to invoke the javascript function: "parent.callback()".