cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
529
Views
0
Helpful
1
Replies
Highlighted
Beginner

Anyone have any luck embedding AWS console in a portlet?

Anyone have any luck embedding AWS console in a portlet within the Cloud Portal (Service Portal)?

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Anyone have any luck embedding AWS console in a portlet?

Unfortunately not all web pages will be embedable in another page.

Amazon blocking AWS from being embedded in a Portal page is actually a common security practice called “Frame Busting” or “Frame Breaking”.

There are a large number of security issues with iframes (the HTML tag that allows embedding another URL in a web page) and “click-jacking”. One example: on my public website I render an iframe containing AWS, and over the top, I render an image. At this point you cannot see your AWS frame, but if you are logged in, it’s there and logged in. Now the image I put over the top has a specially located “Click here for more cute kittens!” button. So you click for more cute kittens. The click is not registered by the image, but is sent to the iframe. The click was carefully aligned under the image to hit a request to do something in AWS. Worst case, a button to delete a VM.

So the short answer to giving your user AWS access is: you should always pop open AWS into a new window. Even though you may be able to override some of the frame busting scripts (such as overriding special JS functions), in some browsers, for some sites, you won’t be able to provide a reliable experience. It’s an “arms race”, and Amazon will keep finding new ways to prevent embedding. (Amazon's stance would be: if you want to provide this functionality, build your own mini-Applicaton that calls out to the AWS API).

There is support built into some browsers so that a website, such as AWS, specifies a special HTTP header which stops the browser from embedding it in a page.

More information about click jacking:

https://www.owasp.org/index.php/Clickjacking

More technical information about frame busting, frame busting-busting, and frame busting-busting-busting: http://stackoverflow.com/questions/958997/frame-buster-buster-buster-code-needed

1 REPLY 1
Cisco Employee

Anyone have any luck embedding AWS console in a portlet?

Unfortunately not all web pages will be embedable in another page.

Amazon blocking AWS from being embedded in a Portal page is actually a common security practice called “Frame Busting” or “Frame Breaking”.

There are a large number of security issues with iframes (the HTML tag that allows embedding another URL in a web page) and “click-jacking”. One example: on my public website I render an iframe containing AWS, and over the top, I render an image. At this point you cannot see your AWS frame, but if you are logged in, it’s there and logged in. Now the image I put over the top has a specially located “Click here for more cute kittens!” button. So you click for more cute kittens. The click is not registered by the image, but is sent to the iframe. The click was carefully aligned under the image to hit a request to do something in AWS. Worst case, a button to delete a VM.

So the short answer to giving your user AWS access is: you should always pop open AWS into a new window. Even though you may be able to override some of the frame busting scripts (such as overriding special JS functions), in some browsers, for some sites, you won’t be able to provide a reliable experience. It’s an “arms race”, and Amazon will keep finding new ways to prevent embedding. (Amazon's stance would be: if you want to provide this functionality, build your own mini-Applicaton that calls out to the AWS API).

There is support built into some browsers so that a website, such as AWS, specifies a special HTTP header which stops the browser from embedding it in a page.

More information about click jacking:

https://www.owasp.org/index.php/Clickjacking

More technical information about frame busting, frame busting-busting, and frame busting-busting-busting: http://stackoverflow.com/questions/958997/frame-buster-buster-buster-code-needed

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards
This widget could not be displayed.