Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

iframe based login flow for sign-in users

49 views
Skip to first unread message

Jan Wrobel

unread,
May 21, 2013, 7:42:34 AM5/21/13
to dev-identity
Hi,

Have you discussed an alternative, iframe based integration mechanism?

It could work like this: a site includes an iframe from Persona, which
checks if a user has a valid Persona session. If yes, the iframe shows
a list of emails and a sign-in button. If no, the iframe show just a
sign-in button that opens a pop-up.

The lack of a pop-up is IMO the only remaining advantage (from UX
perspective) of a custom authentication mechanism. But most users are
likely to stay signed-in to Persona, and for them iframe based flow
could eliminate the pop-up most of the time.

Just an idea to consider.

Cheers,
Jan

Shane Tomlinson

unread,
May 21, 2013, 8:23:20 AM5/21/13
to dev-id...@lists.mozilla.org
Hi Jan,
We have indeed discussed embedding Persona using IFRAMEs [1]; so far we
have decided against it. The primary concern we have is that security
minded users would lose the ability to look at the URL bar to see if
they are really signing in to Persona or if they are being phished.

Your proposal is different to what we have considered in the past, you
are saying *iff the user is signed in to Persona*, show the embedded
IFRAME with their list of email addresses. Otherwise, show a button that
opens the dialog, where the user would enter their Persona password.
Primaries are an interesting case here, but perhaps this is a viable
middle ground.

Is your concern with the popup itself (as in "a popup, yuck"), or do you
have a specific use case in mind? If we could find out more about the
use case, maybe we can think of some additional alternatives together.

Shane

===========

[1] - most recently @
https://groups.google.com/d/msg/mozilla.dev.identity/oDkbEPbMgvM/xQ1IUauc9NMJ
> _______________________________________________
> dev-identity mailing list
> dev-id...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-identity

Jan Wrobel

unread,
May 21, 2013, 8:58:30 AM5/21/13
to Shane Tomlinson, dev-id...@lists.mozilla.org
On Tue, May 21, 2013 at 2:23 PM, Shane Tomlinson <stoml...@mozilla.com> wrote:
> Hi Jan,
> We have indeed discussed embedding Persona using IFRAMEs [1]; so far we have
> decided against it. The primary concern we have is that security minded
> users would lose the ability to look at the URL bar to see if they are
> really signing in to Persona or if they are being phished.
>
> Your proposal is different to what we have considered in the past, you are
> saying *iff the user is signed in to Persona*, show the embedded IFRAME with
> their list of email addresses. Otherwise, show a button that opens the
> dialog, where the user would enter their Persona password. Primaries are an
> interesting case here, but perhaps this is a viable middle ground.

Yes, password dialog can not be securely served from an iframe, but a
list of emails seems safe. I can't see how a phisher could benefit
from spoofing such a list.

> Is your concern with the popup itself (as in "a popup, yuck"), or do you
> have a specific use case in mind? If we could find out more about the use
> case, maybe we can think of some additional alternatives together.

>From my perspective the current solution is good enough, but I have
seen people complaining about pop-up based login flows that require
users to switch context. Especially redirect based flow that some
browsers require (IOS Chrome) could benefit from an iframe based
enhancement. This isn't a critical issue and I don't have any use case
in mind where it would be required.

Jan

Ben Adida

unread,
May 21, 2013, 9:31:15 AM5/21/13
to Jan Wrobel, dev-identity
Jan,

I've wondered whether we could do this. The worry I have is clickjacking. A
web site using clever overlays and tricking you to click in a certain place
could obtain your email address surreptitiously. Maybe that's sufficiently
low damage that we should still consider it (it's not money), but it still
feels problematic to me.

-Ben

Jan Wrobel

unread,
May 21, 2013, 12:02:19 PM5/21/13
to Ben Adida, dev-identity
On Tue, May 21, 2013 at 3:31 PM, Ben Adida <b...@adida.net> wrote:
> Jan,
>
> I've wondered whether we could do this. The worry I have is clickjacking. A
> web site using clever overlays and tricking you to click in a certain place
> could obtain your email address surreptitiously. Maybe that's sufficiently
> low damage that we should still consider it (it's not money), but it still
> feels problematic to me.

Yes, clickjacking can be easier with iframe based approach. Potential
benefits may not be worth the risk.

Cheers,
Jan
0 new messages