Is asking for credentials from a separate trusted domain an acceptable practice?

Question

I know of at least two pages that I would have just assumed were a phishing scheme if I didn't know any better.

Serverfault.com is a stack exchange site on a different domain, however if you click to sign in with stack exchange, it does not redirect you, it just prompts you for user/pass.

Steam community does the same thing. Its perfectly legit, but its a different domain than the official steam page.

My perspective on this is that this is bad. If I'm being prompted to enter my facebook credentials, I expect to see the facebook.com domain. Same for steam, same for stack exchange.

Thats the advice I've been giving everyone for the longest time, and friends actually called me up about the steam community one, where I had to dig in order to find out if it was a legit site or not.

Is this a valid practice? It stinks to high heavens imo.

Answer 1

The flip side is that an XSS in a site gives you access to everything on the same origin. So, if an attacker finds an XSS anywhere in example.com, they can use it to steal login credentials from example.com/login. With a separate login domain and HttpOnly cookies, this is significantly mitigated. (Of course, you need some way to pass credentials from the login domain to example.com, and implementing that without leaking the credentials to an XSS is non-trivial.)

Yes, it's probably bad form to teach users to login on a different domain. Often using a subdomain provides a good balance of containment (via origin) and usability. See, for example, accounts.google.com for a login page on a different origin, but recognizable domain.