Zend Framework, SSL Routes, Fancybox, and XSS Issues_问答_开发者

Zend Framework, SSL Routes, Fancybox, and XSS Issues

开发者 https://www.devze.com 2023-01-24 08:43 出处：网络

Set up: I\'m using Zend Framework I have a controller plugin that checks routes against my application settings and redirects to https if required or standard http if not.I based my controller plugi

Set up:

I'm using Zend Framework
I have a controller plugin that checks routes against my application settings and redirects to https if required or standard http if not. I based my controller plugin on this blog entry.
My forms "pop-up" using Fancybox

Issues:

If I'm on a non-ssl page when I initiate login, the form comes up correctly and performs the login process, but the JavaScript that calls the parent to close the Fan开发者_StackOverflowcybox instance cannot do so because the domains are now different - https vs http

The login form and some others as well could be called from pages in either context, so I'm not sure how to go about resolving this.

The JavaScript that closes the Fancybox instance:

if (window.self !== window.top) {
    // is nested
    parent.$.fancybox.close();
}

I solved it, here's how:

Added new SSL Route rule that's allow_ssl and added support for it in my controller plugin. Routes that allow_ssl are not switched between HTTP and HTTPS. This fixes pop-ups that can be called from a secure page, where it doesn't matter if they're secure or not.
Added a check in my login process that checks the originating request for login and sets an is_ssl flag in a 'Request' session namespace. Once the login is successful I check the flag and redirect to the close-popup action via HTTP or HTTPS. The close-popup actions is one that has the allow_ssl flag.