Credential filling in cross-origin iFrame - dom

The same origin policy prohibits that a top-level domain can access cross-origin iFrames. A browser extension's content script runs in the context of the top-level page (https://developer.chrome.com/extensions/content_scripts) and thus cannot access an iFrame if it is cross-origin. Is it impossible that a password manager extension can fill in credentials into a cross-origin iFrame? How do password manager vendors handle this?
I guess this is only possible for password managers that are built in to the browser itself, but not for browser extensions.

From your link (https://developer.chrome.com/extensions/content_scripts):
all_frames
Optional. Defaults to false, meaning that only the top frame is
matched.
If specified true, it will inject into all frames, even if the frame
is not the topmost frame in the tab. Each frame is checked
independently for URL requirements, it will not inject into child
frames if the URL requirements are not met.

Related

External URL loading issue in custom teams tab

We're trying to load an external url in our custom tab. The login page for this domain appears successfully, however when we proceed and try to sign in it stays on the page and does not redirect user to home screen. Here are some observations:
When the same URL is loaded in teams "Website" tab then everything works as expected.
Teams "Website" tab loads the url as it is i.e. WITHOUT iFrame and the custom tab loads the url within an iFrame.
In console window on login inside iFrame I can see cookies related issue which is something like:
"Because a cookie’s SameSite attribute was not set or is invalid, it defaults to SameSite=Lax, which prevents the cookie from being set in a cross-site context. This behavior protects user data from accidentally leaking to third parties and cross-site request forgery.
Resolve this issue by updating the attributes of the cookie:
Specify SameSite=None and Secure if the cookie is intended to be set in cross-site contexts. Note that only cookies sent over HTTPS may use the Secure attribute.
Specify SameSite=Strict or SameSite=Lax if the cookie should not be set by cross-site requests."
Any help or hint would be greatly appreciated.

What does "Cookies used by frames from X" mean in Chrome Dev Tools?

In Chrome Dev Tools > Application under Cookies I see a list of URLs. When I hover over each one, Chrome shows the message "Cookies used by frames from X".
At first, I assumed that frames meant "iframe", i.e. if an iframe was used on this webpage from source X, then any cookie set by visiting that (iframe view of the) site would show up in the dev tools for your inspection. However, I checked to see if there was always a corresponding iframe for each source, and that is not the case.
So my questions in summary are:
what does "frame" mean in this context?
Why are these cookies almost always empty? For example, I'm looking right now at "Cookies used by frames from https://www.facebook.com", and it's empty.
As mentioned in Chrome DevTools documentation:
When you expand the Cookies category, it displays a list of domains of
the main document and those of all loaded frames. Selecting one of
these "frame groups" displays all cookies, for all resources, for all
frames in that group. There are two consequences of this grouping to
be aware of:
Cookies from different domains may appear in the same frame group.
The same cookie may appear in several frame groups.
Here is a more explicit explanation from Mozilla Storage Inspector documentation (although it isn't Chrome, the concept is similar):
Cookies — All the cookies created by the page or any iframes inside of
the page. Cookies created as a part of response of network calls are
also listed, but only for calls that happened while the tool is open.
So, basically, you will see the main document's domain and all its iframes.
About the "empty" frames with no corresponding frame
It is interesting. It is related to the Preload pages for faster browsing and searching example or Page Prefetch or prerendering feature that Chrome has.
This feature is under Chrome settings > Privacy and Security > Cookies and site data.
What this feature does is prefetch links on the page that you are probably gonna click. This allows the page to load a bit faster when accessing it.
If you dig in their docs you will find this:
Prerendered requests will use a ChromeURLRequestContext which has a
new CookieStore interface, but is otherwise the same as the current
profile’s ChromeURLRequestContext. If the PrerenderContents are
discarded without being used, the changes made to the CookieStore
interface go away. Otherwise, the deltas will be committed to the main
CookieStore for the profile. If there is a merge problem, the
prerendered page is discarded and a fresh request is issued.
This means that for the prerendered requests using a different CookieStore - this is the reason that it's empty on your main profile DevTools. It stores the cookies in a different store and merges them to the main store after you actually click on the link.

How do I disable or redirect a php page unless its hot-linked?

I have a page called club.php. I want to disable people from being able to see my webpage if they type in www.mysite.com/club.php unless they are linked from another page. I have a page where you need to enter a password to access this.
I'm hoping I can simply drop code into my pages (javascript or something?)
There is an HTTP header called Referer, which contains the URI of the site from which the request to your site originated from. You can read the content of this header in PHP via $_SERVER["HTTP_REFERER"] (see http://php.net/manual/en/reserved.variables.server.php).
But please be aware that you can't rely on that this header field is set or not, so testing against the content of the header is not a serious security measure for protecting a particular page from beeing viewed from unauthorized visitors. You can set/unset the value of the header to any arbitrary value with your Browser or Addon.

Is it possible to access the current browser url from a Facebook Page Tab iframe

I have a facebook page tab iframe and would like to access the browser url in order to get the current facebook page url.
I know it's not possible to use a javascript that interacts with the parent frame because of browser security issues.
An approach that didn't work for all browsers was to read the HTTP_REFERER header from the request.
Is there a better way?
I hope this is impossible at all. Otherwise it will be a security issue, likely to be closed.
You should not write code depending on compromising other users.
It is not possible to get URL of a parent Frame due to cross-domain policy. And there is no way to get the information about page your application running on in client-side.
But on the server-side you can reconstruct the Page URL using details passed in signed_request. For Page Tab Applications it contains page:
A JSON object containing the page id string, the liked boolean (set to true if the user has liked the page, false if not) and the admin boolean (set to true if the user is an admin of the page, false if they're not).
Using that page id you can build the Page URL:
http://www.facebook.com/pages/-/PAGE_ID
If you want the link to your Page Tab with your application use:
http://www.facebook.com/pages/-/PAGE_ID?v=app_APPLICATION_ID
Beware, HTTP_REFERRER is provided by client and cannot be trusted, and it's may be cut by plugin/proxy/etc...
Notes:
Pages may have different URL in real life, but using this technique user will be landing the correct Page since Facebook will issue redirect to correct URL of a Page.
Sample URLs use HTTP scheme, feel free to use HTTPS if you need it.
In PHP for example you can detect the current scheme like this:
$scheme = ((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS']!=="off") ||
(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) &&
$_SERVER['HTTP_X_FORWARDED_PROTO']=="https")
) ? 'https' : 'http';
HTTP_REFERRER might not work as expected in my experience. If the tab app is designed for a specific page (which I suppose it kind of should), have you tried recreating it?
https://www.facebook.com/MYPAGENAME/app_MYAPPID
Where MYPAGENAME is your page name and MYAPPID is the app id, of course.
If the tab is applied to multiple pages though, I'm quite sure you'll get the relevant data to apply the above from https://graph.facebook.com/PAGEID, where PAGEID is the ID of the page which you get from the signed request.

facebook iframe app - how to organize and write code for faster page loading - PHP SDK

I am writing an app within a facebook iframe and am unsure how best to write this. I originally wrote all the code within the main canvas.php file but found everything was running too slow before results were being loaded into the iframe.
I then tried using the php header location method so to try and load different pages into the iframe, thus reducing page load time. However, the header location is ignored.
I have also tried using javascript to get the page to load within the iframe instead, this does load in the new page but the page experiences lots of problems. It wil not pass parrameteres to itself using $_GET.
Basically, I need to perform some checks when the canvas page is first loaded in the iframe and then re-direct to another file to avoid the checks being perfomed on every page load as this seriously shows everything down. I then need to have page reloads with different parrameteres in the URL to populate the iframe with different results, again this is very slow as it has to perfomr all the checks again.
Therefore, how can I achieve a smooth workflow as a normal site within a facebook iframe?
[EDIT] Just thought is Ajax a valid option?
Many thanks in advance.
Most people experience slow response times due to not having a channelURL specified. See http://developers.facebook.com/docs/reference/javascript/
Channel File
The channel file addresses some issues with cross domain communication
in certain browsers. The contents of the channel.html file can be just
a single line:
It is important for the channel file to be cached for as long as
possible. When serving this file, you must send valid Expires headers
with a long expiration period. This will ensure the channel file is
cached by the browser which is important for a smooth user experience.
Without proper caching, cross domain communication will become very
slow and users will suffer a severely degraded experience. A simple
way to do this in PHP is:
The channelUrl parameter is optional, but recommended. Providing a
channel file can help address three specific known issues. First,
pages that include code to communicate across frames may cause Social
Plugins to show up as blank without a channelUrl. Second, if no
channelUrl is provided and a page includes auto-playing audio or
video, the user may hear two streams of audio because the page has
been loaded a second time in the background for cross domain
communication. Third, a channel file will prevent inclusion of extra
hits in your server-side logs. If you do not specify a channelUrl, you
can remove page views containing fb_xd_bust or fb_xd_fragment
parameters from your logs to ensure proper counts.
The channelUrl must be a fully qualified URL matching the page on
which you include the SDK. In other words, the channel file domain
must include www if your site is served using www, and if you modify
document.domain on your page you must make the same document.domain
change in the channel.html file as well. The protocols must also
match. If your page is served over https, your channelUrl must also be
https. Remember to use the matching protocol for the script src as
well. The sample code above uses protocol-relative URLs which should
handle most https cases properly.