views:

217

answers:

2

Hi, i want to host the yahoo open-id login in an iframe. However as soon as the yahoo page loads it executes the following javascript:

<script type="text/javascript">if(top == self)
{ document.write("") } else
{ top.location.href = "http://www.yahoo.com" }</script>

In other words, it redirects the whole page (not just the iframe). How can i prevent this redirect (all legal issues aside!)?

+1  A: 

I don't think that's how you're supposed to properly implement it and that code is there for a reason. Have you gone through http://developer.yahoo.com/openid/ ?

meder
I know what i am supposed to do. I just want to do it differently.
usr
Perhaps there's a reason you're required to do it a certain way?
phoebus
Honestly... you should not want to and cannot alter the code in an external domain that's hosted in your iframe.
meder
I just want the openid to be displayed inside of an iframe for the users convenience. I am not some kind of fraudster...
usr
Why can't you do it the official and supported way?
meder
Because it is not as convenient for the users. Would [i]you[/i] want a popup?
usr
Oh i am so used to doing bbcode...
usr
+5  A: 

Yahoo are absolutely right to stop you doing this; all OpenID providers should.

Putting OpenID in a frame means no visible address bar means no guarantee that the OpenID login form is actually coming from Yahoo; in fact, it looks like it's coming from your site. A user trying to avoid being phished should never enter their password into such a form. The whole point of OpenID is that it can guarantee your identity without making you give your password to every site you want to log in to.

So, no, you can't prevent it.

bobince
I think you are right that providers should prevent this. Now changing perspective to me: I happen to want what they don't want. Just help me do it. Where is the harm?
usr
It can't be done, and if it could be done it would be a security hole that Yahoo would have to fix. Or you want me to hack Yahoo's servers for you and change it? :-)
bobince
If my search turns up empty i'll get back to your offer ;-)
usr