1

I'm working on a script to automatically sign you in to basecamp for a project... so far i have come up with the following as something simple just a form you submit which posts to an iframe:

<html>
<head>
<style>
#bc1{ width: 100%; height: 350px; }
</style>
</head>
<body>

<iframe id="bc1" name="_bc1"></iframe>

<form method="post" id="bcform" action="https://launchpad.37signals.com/session" target="_bc1">
<input name="authenticity_token" type="text" value="PyweDIeBkqaAOltDviI/nOADpyrESRDf77R2v7W/6tM=" />
<input id="product" name="product" type="text" value="basecamp" /><br/>
<input autocapitalize="off" autocomplete="on" class="overlayable" id="username" name="username" title="Username" type="text" />
<input autocomplete="on" class="overlayable" id="password" name="password" title="Password" type="password" />
<input name="commit" type="submit" value="Sign In" />
</form>

</body>
</html>

this works in all browsers except IE8 (and presumably 7 and 6)

type in your basecamp login/password into the text boxes and click sign in to give it a try.

does anyone know why this breaks in IE but works in other browsers?

Jamie Wong
  • 18,104
  • 8
  • 63
  • 81
Mike Valstar
  • 3,499
  • 5
  • 24
  • 32

1 Answers1

3

If you're not serving the initial page over HTTPS too, using HTTPS within an iframe doesn't add any security, since the URI of the iframe itself could be altered by an attacker and the user wouldn't notice it:

HTTP and HTTPS iframe

Community
  • 1
  • 1
Bruno
  • 119,590
  • 31
  • 270
  • 376
  • Actually, it does add some security because credentials can be POSTed now instead of send over as part of the query string. So by using an iframe at least you prevent passwords from showing up cleartext in the servers access log. – Leven Jan 30 '13 at 08:10
  • @Leven, using POST or GET has nothing to do with using an iframe or not. Of course, using a password with GET is often a bad idea. – Bruno Jan 30 '13 at 08:51
  • @Brunoa, it does in some cases. Imagine a login popup form that appears on a HTTP hosted page. Because of the same-origin policy you can't do an Ajax POST to a HTTPS from that page. GET is still possible though using JSONP, but then you send passwords in the query string. Using an iframe loaded over HTTPS however it is possible to do a POST over HTTPS which is a little bit safer in my opinion. – Leven Jan 30 '13 at 09:03
  • @Leven, that's the same problem, you shouldn't use an Ajax login system from an HTTP page to an HTTPS page anyway. Being able to check that HTTPS is used (and that it's the correct address with a valid cert) on the page you're currently on and where you're typing your credentials is essential for security. Both iframes and Ajax popups are bad because of this. The POST/GET distinction then becomes irrelevant. – Bruno Jan 30 '13 at 10:40