在外部网站的iframe中填写表格 [英] Populate form in iframe of external website

问题描述

我正在尝试编写一个php页面，用于在不同的iframe中加载多个不同的网站。其中几个站点需要用户登录。我需要做的是基本上允许用户只输入用户名和密码一次，然后填充所有其他表单（基本上使用相同的用户传递对登录）

现在我知道，因为那些是外部网站，您无法访问DOM，并且XSS不被允许，但是我想知道是否有其他方法可以实现这一目标。

有人真的建议我模拟按键，并有一个基本上会从字段到字段的JavaScript，并实质上键入用户名和通过，但做了一些研究后，我不认为这是可能的，因为你只能模拟事件，而不是实际的按键，所以...任何其他建议？

注意：我也检查过这个，但同意其他网站/域不是我的选择！

谢谢 - Mike

解决方案

取决于。

如果这些网站共享一个域（父窗口和iframe），那么顶级窗口可能会与子iframe进行通信。 AJAX可以防止跨域（包括子域间域名），但只要属于同一顶级域名， can 就可以进行通信。

请参阅 https://stackoverflow.com/a/9338955/575527 和 https://stackoverflow.com/a/9676156/575527

更好的方法是拥有顶级域名cookie所有这些iframe中都可以看到该cookie（假设它们具有相同的顶级域名）。登录一次使用单一的登录页面，然后页面中的后续请求将需要检查cookie与会话，如果该用户已登录。

或者如果这些页面有不同的域，但访问相同的数据库，然后可以将会话ID作为url参数传递给iframe而不是cookie。那么iframe中的网站将解析会话ID，并检查数据库中的会话是否有效，是否为当前会话并登录。

所有这些都需要额外的作为会话ID的CSRF和XSS检查已公开。

I am trying to write a php page that will load several different websites in different iframes. Several of those sites will need the user to login. What I need to do is basically allow the user to only type in the username and password once and then populate all the other forms (that are basically using the same user-pass pair for logging in)

Now i know that since those are external sites you don't have access to the DOM and XSS is not allowed and all, but i was wondering if theres actually any other way to achieve that.

Somebody actually suggested me to simulate keypresses and have a javascript that will basically go from field to field and essentially type in the username and pass but after doing some research I dont think thats possible since you can only simulate the event and not the actual keypress so...any other suggestions?

NOTE: I have also checked this but agreeing with the other sites/domains is not an option in my case!

Thanks -- Mike

解决方案

that depends.

if those sites share a domain (the parent window and iframes), then it's possible for the top window to communicate with the child iframes. AJAX prevents cross domain (that includes inter subdomains) but iframes can communicate as long as they belong to the same top domain.

see https://stackoverflow.com/a/9338955/575527 and https://stackoverflow.com/a/9676156/575527

a better approach is to have a "top domain cookie" where that cookie is visible in all those iframes (assuming they are of the same top domain). login once using a single login page, then subsequent requests in the pages will need to check the cookie vs the session if that user is logged in.

or if those pages have different domains but access the same database, then one can just then pass the session id as a url parameter to the iframes rather than as cookies. then the website in the iframes will parse the session id and check in the database if those sessions are valid, are current, and are logged in.

all of which need additional CSRF and XSS checking as session IDs are in the open.

这篇关于在外部网站的iframe中填写表格的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！