0

I have an application that includes an iframe to a page on my website, but i don't want anyone not using the application to access it, so i put basic http authentication on the page, is there a way to make javascript send the information from the application to load the frame so the user doesn't have to know the login details?

EDIT: Understand that the javascript is obfuscated, which would deter anyone but the most determined from obtaining the login information, in the rare case that happens, i can change the password and publish a new version.

Further information: I had originally planned to have a user-agent based filter but changing the user-agent of an iframe with IE7 is impossible.

Obscenity
  • 9
  • 6
  • 1
    Not securely. If the page can send some auth, then anyone who looks at the page's Javascript can find the credentials and use them in other pages. – jfriend00 Dec 26 '15 at 10:49
  • @jfriend00 see my edit – Obscenity Dec 26 '15 at 11:04
  • I'm bad with web servers, but can't you include a "HTA indicator" as a query string to the URL in iframe's `src`? Then detect the query string at your server, and redirect, if the "HTA indicator" wasn't found. That way the "credentials" could be seen only in HTA's source. – Teemu Dec 26 '15 at 15:56
  • 1
    Obfuscation doesn't really deter anyone who wants to abuse your page or resources. It has to be deobfuscated when it's sent over the network so anyone can see it plain as day there in lots of web development tools. Obfuscation is not a deterrent against much. – jfriend00 Dec 26 '15 at 18:58
  • Why not make a different version of that page that doesn't require authentication? Or do the auth server side, and serve up the pre-generated content to the user? That would be much safer and probably easier than trying to make JS (even if it's obfuscated) send in the password – Krease Feb 10 '16 at 08:30

0 Answers0