javascript - Passing the username through an iframe without passing it in the url in extjs - Stack Overflow

admin管理员组

文章数量:1406937

Currently we have an extjs application where we are calling the /login API through an Iframe by passing the username as /login?username=YWRtaW5AZWZmaXNlci5jbzZTZzMTg= and reading this in the superset_config.py file. But since this is not a right practice we want to send the username in any way apart from passing it in the url. Please help in providing the possible ways with which we could achieve this and improve the security.

supersetIframeCmp.el.dom.src = superset_application_url + '?username=' + userNameEncoded;

if (supersetIframeCmp) {
    var supersetIframeCmpEle = supersetIframeCmp.getEl();
    if (supersetIframeCmpEle) {
    }
}
                       

Currently we have an extjs application where we are calling the /login API through an Iframe by passing the username as /login?username=YWRtaW5AZWZmaXNlci5jbzZTZzMTg= and reading this in the superset_config.py file. But since this is not a right practice we want to send the username in any way apart from passing it in the url. Please help in providing the possible ways with which we could achieve this and improve the security.

supersetIframeCmp.el.dom.src = superset_application_url + '?username=' + userNameEncoded;

if (supersetIframeCmp) {
    var supersetIframeCmpEle = supersetIframeCmp.getEl();
    if (supersetIframeCmpEle) {
    }
}
                       

• javascript
• node.js
• extjs
• apache-superset

Share Follow edited Mar 5 at 15:30 TylerH 21.1k7979 gold badges7979 silver badges114114 bronze badges asked Mar 4 at 8:32 Just another objectJust another object 544 bronze badges 8

• 2 Either a POST request made by submitting a form "into" the iframe, or communication between them via postMessage. – C3roe Commented Mar 4 at 8:35
• 2 Although it should be noted that neither of these methods are any more secure than what you're already doing. – Rory McCrossan Commented Mar 4 at 9:46
• Thanks @C3roe , I did the post request by passing the username in the form data, but the superset is failing on POST request with "csrf token missing error" on the superset side – Just another object Commented Mar 4 at 13:48
• 1 Well this is exactly the scenario a CSRF token is supposed to protect against. You'd either have to disable CSRF protection for that route, or somehow acquire a valid CSRF token first. Whether either of those things makes sense in your specific situation, I couldn't say, because so far it isn't really clear what you are actually trying to achieve here. – C3roe Commented Mar 4 at 14:09
• 1 Sounds like what you really need is a Single Sign On (SSO) solution. e.g something like as described in blog.elest.io/apache-superset-sso-integration-guide . Of course this means you need a suitable authentication provider - I don't know if/how your own application authenticates users. As C3oe says, the whole point of CSRF protection is to prevent applications from silently attempting to log in to a superset account in the background (while your aim might be legit, it's not hard to see how such a capability might be used more maliciously). This isn't an intended use of the system. – ADyson Commented Mar 4 at 14:30

 |  Show 3 more comments

1 Answer 1

Sorted by: Reset to default -2

i think you can use AJAX request from ExtJS to retrieve an authentication token or session. Then set the token in the session and load the iframe without passing sensitive data in the URL.

本文标签： javascriptPassing the username through an iframe without passing it in the url in extjsStack Overflow