Stop Javascript Redirect in Pop-Up Window

Question

Hello,

I'm using the Telerik RadWindow control in one of my applications. When a user wants to authorize Twitter for the application the window displays the OAuth dialog for Twitter.

However, each time I display the pop-up for Twitter OAuth, or even just the plain Twitter page, the entire browser is redirected.

The control works just fine when the URL is pointed at a site other than Twitter. I'd like to see if I can block that redirect, or if perhaps there's an easier way to accomplish the OAuth confirmation. Any advice on how to implement this functionality would be greatly appreciated.

Thanks in advance.

Answer 1

This behavior is probably caused by Twitter. In fact, it should happen on many other sites as well (Facebook and similar). To prevent malicious sites from stealing user passwords, the login page detects if it is displayed in an inline frame (IFRAME element, such as the one used in RadWindow) and if it is, the whole browser window is redirected. This way they can ensure that no rogue JavaScript will be running while the user enters their username and password.

Answer 2

Twitter has properly created their authorization page to prevent cross-site scripting attacks, which means you can't embed it in a frame, or javascript pop-up.

Unfortunately, the only other way to "authorize" is a full redirect, or with a pop-up window, assuming your users allow pop-up windows.

The problem with the pop-up is that you then need a way to "close" it when twitter redirects back to your application. It can be done, but it's a bit tricky to do and who knows if it'd work in multiple browsers. Best to just let your site do a full redirect for now.