On 30/04/2013 17:35, Shane Tomlinson wrote:
> There is a downside to doing UA sniffing and using iframes for only a
> subset of browsers - we need a notification mechanism to tell an RP
> when their TOS/PP agreements in displayed in an iframe instead of a
> new tab.
>
> When a TOS/PP agreement is opened in a new tab, the content of that
> tab can contain links and make use of Javascript. When a TOS/PP
> agreement is shown in a sandboxed iframe, links are useless and
> Javascript is disabled. An RP may want to know this so they can serve
> users appropriate content.
>
> I propose we use one mechanism universally, so that RPs just don't
> have to worry about it. The code to inform the RP is pretty trivial,
> I've already implemented and then removed one version of it out, I
> just want RPs to have as little to worry about as possible.
>
> Shane
>
>
Cross browser fun alert!
Neither Firefox Beta+ nor IE are happy with our iframe solution when the
TOS/PP agreements are served over http. Firefox Beta+ refuses to show
the TOS/PP due to mixed content and IE shows a warning asking the user
whether they want to continue. We saw something similar with siteLogo.
This can be seen on the force-issuer ephemeral instance [1]. Basic STR -
open the dialog in Firefox. Open the dev tools (NOT firebug) to the
Security tab. Click 123done's TOS or PP link. Look for the security
warning in the security pane of the dev tools.
I can think of two alternatives:
1) Require RPs that want to show TOS/PP agreements to do so using HTTPS.
2) Use browser sniffing to detect FF OS. If yes, use the IFRAME. If no,
open TOS/PP in new tab.
#1 limits the number of RPs that can do deep integration.
#2 has two problems. First, will FF OS have the same restriction on HTTP
iframes embedded in HTTPS content? Second, separate code paths that
possibly require a notification mechanism to let the RP know whether the
TOS/PP agreement is being shown as a tab or in an iframe.
Thoughts? Ideas? Ways around this? Friday looms.
Shane
===============
[1] -
http://force-issuer.123done.org/