HTTP and HTTPS iframe

http iframe https cross-domain
Tom picture Tom · Jun 29, 2010 · Viewed 88k times · Source

I am creating a small widget and I want to allow others to use it. The iframe is loaded via HTTP - but I want to allow users to login via HTTPS. i.e. Send a request for login via SSL.

Is this allowed within the same-origin policy? i.e. The scenario is that a user can integrate my JavaScript to their website, the widget opens and I want to allow them to login via HTTPS?

Answer

Bruno picture Bruno · Jul 6, 2010

It is generally bad practice to embed an iframe with content served over HTTPS within a page served over plain HTTP (or mix content). The reason for this is that there's no good way for the user to check they're using the HTTPS site they intend (unless the user really wants to check the source of the page).

An attacker could very well replace the content you serve like this:

<iframe src="https://your.legitimate.example/loginframe" />

with:

<iframe src="https://rogue.site.example/badloginframe" />

or even:

<iframe src="http://rogue.site.example/badloginframe" />

This is very hard to detect for the user, and defeats the security measure you're trying to put in place by enabling login via HTTPS.

Related questions

How to allow http content within an iframe on a https site

I load some HTML into an iframe but when a file referenced is using http, not https, I get the following error: [blocked] The page at {current_pagename} ran insecure content from {referenced_filename} Is there any way to turn …

Read More
lazy load iframe (delay src http call) with jquery

I am looking for something similar to jQuery image lazy load plugin, but for iframes.

Read More
What is the HTTP Referer if the link is clicked in an <iframe>?

Suppose I have a webpage located at http://www.website.com with an <iframe> in it. Like this: <html> <head>...</head> <body> ... <iframe src="http://www.washington.edu"> ... &…

Read More