Simon Willison’s Weblog


Teaching users to be secure is a shared responsibility

16th July 2009

Ryan Janssen: Why an OAuth iframe is a Great Idea.

The reason the OAuth community prefers that we open up a new window is that if you look at the URL in the window (the place you type in a site’s name), you would see that it says* and know that you are giving your credentials to Netflix.

Or would you? I would! Other technologists would! But would you? Would you even notice? If you noticed would you care? The answer for the VAST majority of the world is of course, no. In fact to an average person, getting taken to an ENTIRELY other site with some weird little dialog floating in a big page is EXTREMELY suspicious. The real site you are trusting to do the right thing is SetJam (not weird pop-up window site).

I posted a reply comment on that post, but I’ll replicate it in full here:

Please, please don’t do this.

As web developers we have a shared responsibility to help our users stay safe on the internet. This is becoming ever more important as people move more of their lives online.

It’s an almost sisyphean task. If you want to avoid online fraud, you need to understand an enormous stack of technologies: browsers, web pages, links, URLs, DNS, SSL, certificates... I know user education is never the right answer, but in the case of the Web I honestly can’t see any other route.

The last thing we need is developers making the problem worse by encouraging unsafe behaviour. That was the whole POINT of OAuth—the password anti-pattern was showing up everywhere, and was causing very real problems. OAuth provides an alternative, but we still have a long way to go convincing users not to hand their password over to any site that asks for it. Still, it’s a small victory in a much bigger war.

If developers start showing OAuth in an iframe, that victory was for nothing—we may as well not have bothered. OAuth isn’t just a protocol, it’s an ambitious attempt to help users understand the importance of protecting their credentials, and the fact that different sites should be granted different permissions with regards to accessing their stuff. This is a difficult but critical lesson for users to learn. The only real hope is if OAuth, implemented correctly, spreads far enough around the Web that people start to understand it and get a feel for how it is meant to work.

By implementing OAuth in an iframe you are completely undermining this effort—and in doing so you’re contributing to a tragedy of the commons where selfish behaviour on the behalf of a few causes problems for everyone else. Even worse, if the usability DOES prove to be better (which wouldn’t be surprising) you’ll be actively encouraging people to implement OAuth in an insecure way—your competitors will hardly want to keep doing things the secure way if you are getting higher conversion rates than they are.

So once again, please don’t do this.

I hope my argument is convincing. In case it isn’t, I’d strongly suggest that any sites offering OAuth protected APIs add frame-busting JavaScript to their OAuth verification pages. Thankfully, in this case there’s a technical option for protecting the commons.

Update: It turns out Netflix already use a frame-busting script on their OAuth authentication page.