Is it a bad idea to have a login dialog inside an iframe?

We're creating a website where we will be giving out code snippets to our users which they can place on their own websites. These snippets contain a link a javascript include. When clicking the link, an iframe containing the login dialog to our site opens. The user then authenticates inside the iframe, does his work and when he leaves the iframe his session is closed. We've got it working allready and it's very slick.

Our main concern though is phishing. The user has absolutely now way of veryifying where the login page is really coming from. On the other hand, phising attacks are also succesfull even if the user开发者_开发技巧 can see the fake-url in the address bar.

Would you enter your (OpenId) credentials in an iframe? Does anyone know a pattern with which we could minimise the chances of a phishing attack?

The user has absolutely now way of veryifying where the login page is really coming from.

There are ways around that, by having the user choose a secret that the real login page can display back at them to identify itself. Usually this is done with easily-identifiable pictures.

However that is not the only issue. If you allow your login page to be framed (and the user comes to expect that), you also open yourself to clickjacking attacks. The third-party site can frame your login page, then position: absolute their own HTML elements on top of it. Elements like inputs directly on top of yours, sniffing each keypress to nab the password.

You can allow a simple “start login process” button to be framed, and maybe a username/identifier, but the form into which a password should be typed must open in its own browser window (either in the main window or in a popup) with its own address bar and SSL indicator.

Would you enter your (OpenId) credentials in an iframe?

Goodness no.

I would recommend not using an IFrame as they defeat accessibility, seo, and semantics unless you want those defeated. If you are asking people to login via an IFrame then you have a definite accessibility barrier that may be considered legally discriminatory in certain countries.