Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to do authentication in bookmarklet?

I would like my bookmarklet to require the user to login. Here is the idea....I create an iframe for user to login, and show the a/c information. But I would like to get some information from server, for example, I would like to know whether the user has already added this page to my server or not. So, I want to make an ajax call, but because of the same origin policy, I can't do it by ajax. So, How can I get information from the iframe?

The story is something like this:

User web -> user clicks the bookmarklet -> if logged in -> show an 'add to fav' button -> user clicks the add to fav button, the url is submitted to the server, reload the server.

User web -> user clicks the bookmarklet -> if not logged -> show a login button -> login success -> do the flow as previous

User web -> user clicks the bookmarklet -> if logged -> check if the website is already added on server -> no fav button

As you can see, only the iframe stores the information of the logged in user.

like image 494
DNB5brims Avatar asked Nov 14 '22 18:11

DNB5brims


1 Answers

What you are doing is impossilbe because it violates the origin inheritance rules. Think of it this way. If you could obtain information from another website in this fasion then you could read CSRF Tokens, or read someone's email from their gmail account.

Speaking of CSRF, most logins are just a simple post with a username/password. You build a simple <form> on your website that is identical to the POST request needed to login. Using JavaScript you can call .submit() on the form which would redirect the browser to their newly authenticated session. In fact this is how a POST based CSRF exploit works (although usually in a CSRF attack you assume the browser is already authenticated.).

Of course this won't work for all applications, like OpenID or gmail. This is because these services often include random value along with the login request.

like image 86
rook Avatar answered Dec 23 '22 13:12

rook