Saturday, July 10, 2010

IFrame URL should be displayed by the browser

I wasted several hours struggling through a problem with facebook's OAuth implementation, trying to get it to work within an iframe. After a bit of research, I worked out that it is designed NOT to work in an iframe, to avoid phishing/clickjacking attacks, and this is, in fact, the recommended practice in the OAUTH spec. Because the user can't tell (from the URL bar) what site an iframe comes from, it is recommended practice that the OAuth authentication happen in a popup window, or a page that you're redirected to, but not a page within an iframe.

In my opinion, this is getting things back asswards. This is a browser problem. Browsers should display (on mouse over, or focus) the actual URL for the iframe. If you're on www.foo.com which contains in iframe hosted by www.bar.com, when you mouse over the iframe, it should display the URL for that site (maybe hovering below the URL bar). Perhaps the browser could also change the mouse pointer, or have the favicon for the actual site appear near the cursor. It could also indicate whether the iframe is secure (https).

IFrames are great, but they do have security concerns... but those concerns should be addressed at the browser level, not by requiring unnatural user interface design.