On Wed, Nov 4, 2009 at 8:34 PM, reyelts <reye...@gmail.com> wrote:
>
> I admit to not having been through all of the Java documentation on
> http://code.google.com/appengine/docs/. I have, however, been through
> the Python stuff extensively and never came across anything that
> suggests "framing the login page is strongly discouraged". In fact,
> some information on recommended HTML usage would be a very welcome
> addition to the Google App Engine Docs.
>
> I also was unable to find anything to suggest there was a problem with
> the TOS. I'm not modifying anything from Google nor am I usurping or
> reverse engineering or bypassing any Google interfaces. In fact, I am
> trying desperately to use a Google interface as-is and in such a
> manner as is not confusing to my user population.
>
> The frame/object *is* being served from the google.com domain. I have
> no desire to nor have I made any attempt to bypass that.
In your case, yes it is. However, there's no reliable visual cue to the user
that this is the case, and thus no way for the user to easily tell your
legitimate iframed login page from a Phishing site's fake iframed login
form. For that reason, putting the login form in an iframe is very strongly
discouraged - you're essentially teaching your users to be susceptible to
phishing for their Google account details. For the same reason, it's
extremely unlikely any API to allow you to take Google user credentials
yourself will be offered.
Depending on
> the browser, there are multiple ways of verifying the source of the
> frame. For example, IE's "Properties" and Chrome's "Inspect Element"
> clearly show the source address.
>
It would be unreasonable to expect even a 'power user' to do this on every
login, let alone everyone else.
>
> Finally, if you have alternatives to suggest, I welcome them.
How about showing the login form in a popup? That way, the google.com URL is
fully visible, without navigating away from your site. This is the approach
Google Friend Connect takes.
> I'm just
> trying to do what's best for my users while staying within the limits
> of the tools you provide.
I would humbly point out that offering your users a login form that is a
hallmark of phishing sites is not best for your users.
-Nick Johnson
> As evidenced by other contributors to this
> thread, you can see that I am not alone in this endeavor.
>
> On Nov 4, 1:40 am, "Nick Johnson (Google)" <nick.john...@google.com>
> wrote:
> > Hi,
> >
> > Framing the login page is strongly discouraged, and may in fact be
> contrary
> > to the TOS. The only way for the user to determine that a login page for
> a
> > Google account is legitimate is to check if it's being served off the
> > google.com domain, and this is not possible inside a frame.
> >
> > -Nick Johnson
> >
> >
> >
> > On Mon, Nov 2, 2009 at 10:36 PM, reyelts <reye...@gmail.com> wrote:
> >
> > > I apologize if I'm posting to the wrong place, I don't know if this is
> > > a basic HTML question, a Python question, a GAE question, or some
> > > combination of the set...
> >
> > > Since we can't have much impact on the use login window for Google App
> > > Engine (ie to change the language or add an image), I'm looking at
> > > embedding the login page, like so:
> >
> > > from google.appengine.ext import webapp
> > > from google.appengine.api import users
> >
> > > class main(webapp.RequestHandler):
> > > def get(self):
> > > user = users.get_current_user()
> >
> > > if user == None:
> > > self.response.out.write('<html>\n<body>\n')
> > > self.response.out.write('<p>My intro text</p>\n')
> > > self.response.out.write('<hr>\n')
> > > self.response.out.write('<object\n')
> > > self.response.out.write(' data="' + users.create_login_url
> > > (self.request.uri) + '"\n')
> > > self.response.out.write(' type="text/html"\n')
> > > self.response.out.write(' width=100% height=50%>\n')
> > > self.response.out.write('</object>')
> > > self.response.out.write('<hr>\n')
> > > self.response.out.write('</body>\n</html>\n')
> > > else:
> > > self.response.out.write('<html>\n<body>\n')
> > > self.response.out.write('<p>' + user.nickname() + 'is logged
> > > in!</p>\n')
> > > self.response.out.write('</body>\n</html>\n')
> >
> > > This works fine: I get "My intro text" at the top of the window
> > > followed by a pane with the login. However, when I login, the result
> > > ("user is logged in") is written to the pane where the login occurred,
> > > vs. replacing the whole window. I tried this with the older <iframe>,
> > > and get the same result.
> >
> > > Is there a way to re-take over the complete window (ie make the frame
> > > I created go away) on the redirect?
> >
> > --
> > Nick Johnson, Developer Programs Engineer, App Engine
> > Google Ireland Ltd. :: Registered in Dublin, Ireland, Registration
> Number:
> > 368047
> >
>
--
Nick Johnson, Developer Programs Engineer, App Engine
Google Ireland Ltd. :: Registered in Dublin, Ireland, Registration Number:
368047
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google App Engine" group.
To post to this group, send email to google-appengine@googlegroups.com
To unsubscribe from this group, send email to
google-appengine+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/google-appengine?hl=en
-~----------~----~----~----~------~----~------~--~---
