Does not detect token signing extension when used in an iframe

[okhofstad]

When running hwcrypto.js 0.0.9 inside an iframe, it's not able to detect the backend due to using the "window" object for detection. This is not the same object as the one where the chrome extension has bound the "TokenSigning" function, which is in the top frame.

A workaround is to use window.top instead of window.

[martinpaljak]

True.

Right now I think the verdict is that "using iframes is not supported / not encouraged", until a good plan can be figured out if/how to do it. This has not been a priority at the moment.

One of the reasons is that because the window is disconnected from the browser, the origin must be made visible to the user when signing something. If the browser has exmple.com in the address bar and foobar.net in an iframe and the iframe initiates signing, the user would be quite surprised when some "other" site asks for a certificate which is not visible from the address bar.

Any good suggestions?

[okhofstad]

In our main use case both the parent and the child page is served from the same domain, hence we don't have the issue you mention here.

I do however understand that you create a general solution and must take this into account. I'll come back with any good suggestions that might pop up.

[martinorgla]

Any updates? 6 months and no progress on iframes?

[martinpaljak]

There are two options:

1. We expose the messaging interface on all iframes
2. When using an iframe, messaging with the native part is done by explicitly calling window.top.postMessage

Which would be better?

[martinpaljak]

The chrome extension binds to all iframes, starting from latest version. Thus this should be outdated/fixed now.