locked
How to embed a small external webapp in an iframe? RRS feed

  • Question

  • User135778780 posted

    I have a .net application that needs to call an other external web app. This external web app is also a ASP.NET MVC app that returns one fully functional view. This means it returns a view that has a few textboxes and radio buttons and a submit button.

    When I call this webapp from the first webapp, it shows he view inside it and so on. I am not sure how do I submit the form to the external web app. Because isn't it that it will check for cross site scripting and deny the request? How to overcome that?

    Thanks!

    Wednesday, April 22, 2015 8:16 AM

All replies

  • User71929859 posted

    I am not sure how do I submit the form to the external web app. Because isn't it that it will check for cross site scripting and deny the request? How to overcome that?

    Unless you've specifically implemented AntiForgeryToken, AFAIK, an MVC app wouldn't check for Cross-Site Request Forgery. Cross Site Scripting (a.k.a. XSS) is different. It happens between the browser and client. What you have to worry about in this case is CSRF. You can read more from the below link

    https://msdn.microsoft.com/en-us/magazine/hh708755.aspx

    Sunday, April 26, 2015 7:57 AM
  • User-952121411 posted

    Since this is an 'Architecture' forum I would advise against your provided approach. Coupling (2) MVC apps and relying on the Views being returned is not a great idea IMO. What you should consider is using something like WebAPI and a RESTful service to serve up the same required data for 1...n applications, but yet still have each app be responsible for its own Views. In this manner you can use more standard methods of security when interacting with the RESTful service and not have to tend to the niche security scenarios you questioned about earlier.

    I realize what I suggest is not a 'quick fix,' but you should consider an alternate approach if what you truly need is more than 1 application requiring the same underlying data. What happens if app #2 decided to all the sudden use AngularJS for its front end and not MVC? By sharing Views you are coupled to a technology implementation. If you serve up the underlying data in a RESTful manner returning JSON/XML you don't have to be concerned at all with the consuming parties technology.

    Monday, April 27, 2015 3:56 PM