views:

213

answers:

2

Is it possible to load content within an IFRAME that subsequently returns a 302 redirect, without having it redirect the entire browser window to the destination? I.e. limit the redirect to the IFRAME itself? If so, how?

EDIT1: To restate... i have an IFRAME, the source of which is a self-posting FORM. The action returns a 302 to somewhere else. When that happens, the entire page redirects. What i want is to have ONLY the IFRAME redirect, leaving the surrounding page alone.

EDIT2: To clarify further, this is an SSO SAML implementation. The IFRAME content should contain the newly signed-into application. The SSO is working correctly but the entire browser page redirects into the application, losing the containing page. The SAML aspect may not change the diagnosis that the application is "frame-busting," but it may trigger some other ideas.

+4  A: 

It's impossible not to limit a 302 redirect to the iframe itself. An HTTP redirect occuring inside an iframe will never affect the containing page. What you're asking for is already the only behaviour you will see.

There's probably a frame busting script on the redirect target page. It's difficult to prevent an iframe from breaking out, but there are tricks to deal with that too.

Martin
@Martin - what i'm seeing is the entire page redirecting, when i want only the IFRAME content to redirect.
bill weaver
@Martin - i'll keep digging and try to get more info from the owner of the redirecting page. Maybe there *is* something else going on. I'll post more info if i get any. Thanks.
bill weaver
@Martin - yes, frame-busting was present on the loaded page. Thanks!
bill weaver
+1  A: 

I bet you are dealing with a JavaScript-based "Frame buster" on the redirection target page's end. You would have to switch that off, or have it switched off.

Pekka
@Pekka - that's possible. I have added info explaining that this is a SAML SSO situation. I will see if i can find out if the SSO target app is frame-busting.
bill weaver
@bill turn off JavaScript (e.g. using the Web Developer Toolbar in Firefox) and see whether the behaviour persists. It is also possible to set a `target='_top'` property in a form, which will escape the iframe without JavaScript.
Pekka
@Pekka - +1 - yes, frame-busting was present on the loaded page. Accepting @Martin's answer since it was first.
bill weaver