6

There seems to be a number of techniques to authenticate a person on the web. Most commonly there are

  • Javascript Pop-ups (Google, Firefox Persona, Disqus, etc)
  • HTTP Redirects (OAuth, Facebook)
  • IFrames, with sandboxing set as needed.

Question

Is one approach more secure than the others? What are the tradeoffs?

Come to think of it, I think Facebook may offer both OAuth Redirects and a JS based popup.

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • Are you exclusively referring to authentication on third-party sites? I'm asking because I don't see Google doing pop-ups by default. – Arminius May 02 '17 at 18:36
  • if the popup is a window, they should be the same, if the rules are being enforced. – dandavis May 02 '17 at 18:42

2 Answers2

4

Iframes are dangerous as the user has no easy way of verifying that the embedded page is indeed, say, facebook.com and not some phishing page. Depending on how it is set up, allowing embedding might also enable clickjacking.

Using a popup versus redirecting the current page is just a matter of user experience and has no impact on security.

user2428118
  • 2,768
  • 16
  • 23
1

To the question of popups there is less of a security concern versus a UX concern. Many browsers and their anti-nuisance plugins may prevent popups from working as expected. Redirects tend to be cleaner, particularly for mobile devices such as phones and tablets.

Jean-Michel Florent
  • 140
  • 2
  • E.g. Facebook embedded (in-app) safari browser on iPhone will never display a popup and the market share of this (horrific) browser is too significant to ignore for some sites. – Jacek Gorgoń Sep 07 '18 at 11:20