Windows Azure Platform >
Secure/effective approach to accessing DataMarket services when the client is required to be iframe embedded?

Answered Secure/effective approach to accessing DataMarket services when the client is required to be iframe embedded?

  • Saturday, August 18, 2012 5:50 PM
     
     
    Sign In to Vote
    0

    I am building an app in which the HTML/JavaScript client  is required to be embedded within an iframe provided by the platform provider. The containing frame provides infrastructural services including identity management. The server in my app is ASP.NET MVC 4 using Adam Wilson's excellent DataMarket OAuth Sample.

    I believe (though this is only from a cursory evaluation that appears to prove the point), that Azure DataMarket pages will not load when accessed from an iframe embedded page. Specifically, GETting the 'consent' request (URL below) is 'canceled', as are other pages on the site including the root/default page. I was able to reproduce the problem by adding the links to the HTML panel in jsFiddle (which, by design, runs the panels within iframes) and by manually concocting an HTML page containing an iframe referencing the DataMarket URL.

    https://datamarket.azure.com/embedded/consent

    A simple solution to my predicament would appear to be opening the page that triggers the OAuth flow in a separate tab/window. This won't be constrained by an iframe, the DataMarket pages should work and the cookie should be created. The separate tab/window will then need to close itself and refresh the page from which it was called.

    Questions

    • Is this an appropriate/secure approach?
    • Is there a better way?
    • Am I misunderstanding something?




    • Edited by Daz Wilkin 2 Saturday, August 18, 2012 5:51 PM
    •  
     

All Replies

  • Monday, August 20, 2012 6:09 AM
    Moderator
     
     
    Sign In to Vote
    1

    Hi,

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay.
     
    Appreciate your patience.

    Please mark the replies as answers if they help or unmark if not. If you have any feedback about my replies, please contact msdnmg@microsoft.com Microsoft One Code Framework

     
  • Monday, August 20, 2012 7:26 AM
    Moderator
     
     Answered
    Sign In to Vote
    1

    Hi,

    I think the problem is about using HTTPS iframe in a HTTP page. This is a not recommended way. You can refer to below thread for explanation:

    http://stackoverflow.com/questions/3144986/http-https-iframe

    I think the solution you mentioned is right.

    Allen Chen [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

     
  • Monday, August 20, 2012 4:13 PM
     
     
    Sign In to Vote
    0

    Allen

    Thanks for your reply. Both pages are being delivered over HTTPS. Thanks for validating the approach. I will invest some time getting it to work!

    Daz

     
  • Monday, August 20, 2012 4:46 PM
    Moderator
     
     Answered
    Sign In to Vote
    1

    Yes, your approach of opening a new browser window will work well in this situation.

    For an example of this in action, take a look at this site and click the red "Sign up for a Stats account" button.

     
  • Monday, August 20, 2012 5:12 PM
     
     
    Sign In to Vote
    0
    Terrific! Thanks.