5

We are developing a website for students on which they first have to fulfill specific tasks in order to use our service. The problem is, that those tasks are on another website, which has nothing to do with ours and is currently placed in an iframe on our page. One mentionable thing is, that after the user finished the task (on the other website), a new site opens up, which says, that he has finished. So our question would be: Is it possible to get a verification from the other website, that the user has fullilled the task? First we thought of reading out the specific "span class name" from the page on which the user lands last. The problem here is the "same origin policy". Do you know a better way to solve this or a save and legal way around that policy? Thanks for your help!

Ps: I am a Bachelor's student in Informatics so I'm still learning, if there are some logical mistakes at my qestion. (:

D_Burg
  • 51
  • 2
  • Why is the "same origin policy" a problem? Are you getting an error message when you try to interrogate the page in the frame? – Robert Harvey Mar 02 '16 at 23:54
  • 4
    Do you have any security or fraud concerns? I think you'd be better off having one server talk to the other instead of screen scraping the client (which would suggest that the task fulfillment server maintain per user state (tasks fulfilled)). – Erik Eidt Mar 03 '16 at 00:50
  • 3
    Have you asked the operators of the site you're embedding? They may be able to assist by providing an explicit notification of some kind (eg via window.postMessage), or by explicitly disabling the same origin policy (by changing its document.domain property). See http://stackoverflow.com/questions/3076414/ways-to-circumvent-the-same-origin-policy – Jules Mar 03 '16 at 02:56
  • @RobertHarvey yes if I try to read out the span class via javascript i get an error. I've googled it and it referred me to the same origin policy. – D_Burg Mar 03 '16 at 11:29
  • @ErikEidt could you please explain what you mean by security/fraud concerns? Is it unsave to let the servers communicate between each other and how does it affect my security? – D_Burg Mar 03 '16 at 11:33
  • @D_Burg: I think Erik is assuming you have control over both servers. – Robert Harvey Mar 03 '16 at 15:29
  • If you send data to the client, and use that to pass information to the other server, it is possible that a student could mock up a fake response. – Erik Eidt Mar 03 '16 at 16:44
  • I now have sent an e-mail to the operator if he could support us at that issue. We think it's the best and safest idea to do so. Thank you all for your answers so far! – D_Burg Mar 04 '16 at 19:29

1 Answers1

1

You have essentially two ways to achieve that.

Calling an API

When the user claims that he finished the tasks on the third-party site, call the API of this site, asking to confirm that the tasks were already done. If we assume that you trust the third-party and the channel between you and the third-party server, this guarantees you that the user actually performed the required tasks.

Possible issues:

  • The third-party website doesn't provide such API.

  • You cannot reliably match the local user with the third-party site user.

Example:

Imagine the task is to store a given file on Google Drive, with a specific name. Once the user finishes the task, he comes back to your site/mobile application. Your site/mobile application can then use OAuth to match the Google's account to the user and, given specific authorization, access the file in Google Drive, or at least check that the file exists.

Trusting the user

If the first alternative couldn't be done, then you have to trust the user when he tells that he actually did the tasks.

You shouldn't necessarily ask the user if he did the tasks, with a yes/no option; instead, you can actually check the contents of the <iframe> or check the URLs which were used by the <iframe> (maybe http://example.com/task1/success means that the user finished the task, while http://example.com/task1/failure means that the user failed it?)

The point is, as soon as you do those checks on client side, you're doomed. You are actually relying on the client to tell you the truth. You may make it easy for the client to cheat, by giving a yes/no option within a form, or you may make it difficult, by obfuscating a piece of JavaScript code which would do some dark magic with the <iframe>; nevertheless, as soon as the code runs on client side, it can (and will, if there are benefits to do that) be tampered.

If you're sure you can trust your users, then you can address the actual technical aspects through StackOverflow. If you're able to make the third-party change their page, cross-document messaging would be the most easy and straightforward solution here (being also relatively easy to tamper for a user who wants to cheat).

Of course, if you have leverage over the third-party, you can develop a solution together, which also uses a private-public key pair to encrypt the data which passes through the user. The user becomes merely a transporter of the data, and can't tamper it. This being said, if you have this sort of power over the third party, why not asking them to do an API?

Possible issues:

  • The user can claim that he did the tasks, even if he didn't. There is nothing you can do to completely prevent cheating here (unless you can exchange a pair of keys with the third-party).

  • The easiest solutions require to change the third-party website; if you have this sort of power, couldn't you simply ask the third-party to develop an API?

Example:

Before performing something on your site, the user needs to ask a few questions. There is a third-party service—a site which hosts questions and collects answers from the users (and verifies that the answers are correct).

You start by generating an UID that you encrypt with a public key which was previously provided by the third-party. Then, you redirect the user to the third-party site, specifying the encrypted UID in the URI; the user cannot read the UID, because he doesn't have the private key.

Once the user answers the questions, the third-party site redirects the user back to your site, and appends to the URI some data which contains the UID, as well as the success/failure status, encrypted with the second public key, the one you previously provided to the third-party. Once you receive this data, you can be sure that the user haven't tampered with it, even if he knew both public keys: since the user couldn't know the original UID, the presence of the authentic UID ensures that the message was encrypted by the third-party.

As you can see, there is nothing particularly complicated for someone who is familiar with cryptography, and there are plenty of risks to fail for someone who isn't. Again, a simple API is a much more straightforward approach.

Community
  • 1
Arseni Mourzenko
  • 134,780
  • 31
  • 343
  • 513
  • So master of cryptography cheats on his biology test by hacking the web page that's checking his work? Achievement unlocked, I guess. Though to be fair, it would be a better win if they were actually taking a computer class, rather than biology. – Robert Harvey Sep 04 '16 at 22:23