views:

205

answers:

0

Anyone reading my last batch of questions knows I'm working on a Firefox add-on for my office intranet. So, here's the latest; this time a concern instead of an obstacle:

So, my first plan was to build a sign-in form right into the chrome, so that it blended and didn't require any dealings with iframes/browsers/etc. But after some thinking, I decided this was a bad idea because:

a. It's less secure

b. The people that care that it's less secure would fire me.

c. Security is a good thing. I don't want to mess up an already-in-place secure set up just to avoid a login screen.

Plus if anything DID happen, man would I feel bad.

So, plan b:

Put an iframe in a chrome panel/window, that way it's the actual secure server that everyone signs into, safe as always.

Problems:

  • I don't know if chrome screws with the security of the page. I've been very happy so far with my ability to break all kinds of security protocols (cross-domain cookie getting and setting, iframe content editing) that is allowed at the chrome-level, but I'm worried that the trade off is that everything is less secure, even in an iframe.

  • Notice the mention of iframe editing. Half the reason for all of this is that the sign on page is ugly, has alerts on sign on success, and automatic redirects. But do I somehow lose the security when I fiddle with the browser output?

Essentially, I need some peace of mind as well as some ammunition in case someone else has doubts when this add on makes the rounds.

Oh, and the page is SSL, typical https protocol with a CA cert from VeriSign.

Also, I noticed that with Net monitoring in Firebug that I can see my password clear as day in the POST headers. Does that mean nothing is safe at the browser level? Is there at least a way to wipe any trace of the transaction after it happens?

thanks as always!