This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.
Log-in should respect frame focus, not window location
Request / potentially a bug report for the plugin (Firefox, at least):
Given 3rd party services like Disqus (among many others) which log you in via an iframe, it seems logging in should respect *only* the frame in focus and nothing else. That way, as long as the login frame has focus, it gets treated identically to logging into the provider's website, which it precisely what it is.
Hypothetical situation if the frame isn't respected (not sure if it does this or if it just doesn't fill in the field, but...) :
[list=1]
[*]You have a login for site A
[*]You have a login for site B
[*]Site A loads a full-frame iframe of site B
[*]You fill fields, and submit
[*]B received your A login
[/list]
The alternative is that your attempts to log into what's apparently the site you want, [i]and is being served by the site you're trying to log into[/i], have absolutely no response. It behaves as if you [i]have[/i] no login for B, which is incorrect. Iframes are secure, why not use them?
Given 3rd party services like Disqus (among many others) which log you in via an iframe, it seems logging in should respect *only* the frame in focus and nothing else. That way, as long as the login frame has focus, it gets treated identically to logging into the provider's website, which it precisely what it is.
Hypothetical situation if the frame isn't respected (not sure if it does this or if it just doesn't fill in the field, but...) :
[list=1]
[*]You have a login for site A
[*]You have a login for site B
[*]Site A loads a full-frame iframe of site B
[*]You fill fields, and submit
[*]B received your A login
[/list]
The alternative is that your attempts to log into what's apparently the site you want, [i]and is being served by the site you're trying to log into[/i], have absolutely no response. It behaves as if you [i]have[/i] no login for B, which is incorrect. Iframes are secure, why not use them?
Flag
0
Comments
-
Hey Groxx,
Thanks for raising this good issue. I do not know the full logic behind the current situation, but my guess is that we prioritize the URL displayed in the address bar over any "hidden" (read: iframe) URLs. Users see the site in the address bar and save a login based on their trust of that site. If the site uses iframes, they are trusted with not abusing the privilege.
On the other hand, if a user visits a malicious site, it could load an iframe that makes it [i]look like[/i] they are on a site for which a user has saved a login.
I don't know for certain, but I imagine that factored into the decision. We are always looking to improve, and I will pass this along to the developers.
I'm sorry I don't have a better answer for you at this time.Flag 0