I am trying to implement cross domain authentication using HTML5.
The domain 2 will post a message to domain1 Iframe to get the data, and the domain1 will check the origin and get the data. The user data will be the email address.
Can someone tamper the origin property of the message(eg by changing the hosts file), pretend as domain2, post a message to domain1 Iframe, and get the email address of the user?
Thanks
Tuco
Yes, the user can tamper with it.
Javascript is executed in the web browser of the user. Everything which happens on the client side can be controlled and manipulated by the user. The user doesn't even have to manipulate the host file for that, there are many other ways to forge HTTP POST requests.
Anything which must not be manipulated by the user must be done on the server side.
When you need cross-domain authentication, you usually generate a long, random ID number (aka a token) on the server which hosts domain1. This token is sent both to the user and to the other server which hosts domain2. When the user then visits domain2, it can provide the token it got from domain1 (usually as part of the URL which leads from domain 1 to domain2). This allows domain2 to identify the user.