tags:

views:

213

answers:

2
+2  Q: 

How to Restrict a SAML 302 Redirect to an IFRAME?

Is it possible to load content within an IFRAME that subsequently returns a 302 redirect, without having it redirect the entire browser window to the destination? I.e. limit the redirect to the IFRAME itself? If so, how?

EDIT1: To restate... i have an IFRAME, the source of which is a self-posting FORM. The action returns a 302 to somewhere else. When that happens, the entire page redirects. What i want is to have ONLY the IFRAME redirect, leaving the surrounding page alone.

EDIT2: To clarify further, this is an SSO SAML implementation. The IFRAME content should contain the newly signed-into application. The SSO is working correctly but the entire browser page redirects into the application, losing the containing page. The SAML aspect may not change the diagnosis that the application is "frame-busting," but it may trigger some other ideas.

+4  A: 

It's impossible not to limit a 302 redirect to the iframe itself. An HTTP redirect occuring inside an iframe will never affect the containing page. What you're asking for is already the only behaviour you will see.

There's probably a frame busting script on the redirect target page. It's difficult to prevent an iframe from breaking out, but there are tricks to deal with that too.

Martin  2010-02-25 22:40:10
@Martin - what i'm seeing is the entire page redirecting, when i want only the IFRAME content to redirect.
bill weaver  2010-02-26 03:19:27
@Martin - i'll keep digging and try to get more info from the owner of the redirecting page. Maybe there *is* something else going on. I'll post more info if i get any. Thanks.
bill weaver  2010-02-26 15:19:00
@Martin - yes, frame-busting was present on the loaded page. Thanks!
bill weaver  2010-03-09 20:01:25
+1  A: 

I bet you are dealing with a JavaScript-based "Frame buster" on the redirection target page's end. You would have to switch that off, or have it switched off.

Pekka  2010-02-26 15:35:50
@Pekka - that's possible. I have added info explaining that this is a SAML SSO situation. I will see if i can find out if the SSO target app is frame-busting.
bill weaver  2010-02-26 16:11:36
@bill turn off JavaScript (e.g. using the Web Developer Toolbar in Firefox) and see whether the behaviour persists. It is also possible to set a `target='_top'` property in a form, which will escape the iframe without JavaScript.
Pekka  2010-02-26 16:29:51
@Pekka - +1 - yes, frame-busting was present on the loaded page. Accepting @Martin's answer since it was first.
bill weaver  2010-03-09 20:02:22

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.