I am creating a small widget and I want to allow others to use it. The iframe
is loaded via HTTP - but I want to allow users to login via HTTPS. i.e. Send a request for login via SSL.
Is this allowed within the same-origin policy? i.e. The scenario is that a user can integrate my JavaScript to their website, the widget opens and I want to allow them to login via HTTPS?
Navigating or redirecting to an HTTP URL in an iframe embedded in an HTTPS page is not permitted by modern browsers, even if the frame started out with an HTTPS URL.
Navigating or redirecting to an HTTP URL in an iframe embedded in an HTTPS page is not permitted by modern browsers, even if the frame started out with an HTTPS URL. The best solution I created is to simply use google as the ssl proxy... Tested and works in firefox.
If you really want to load http content in https, you can follow this method using a backend handler in charge of downloading and exposing the required content with self forged links including a hash. The security issue is then fixed and you get the content accessible through https.
It is generally bad practice to embed an iframe with content served over HTTPS within a page served over plain HTTP (or mix content). The reason for this is that there's no good way for the user to check they're using the HTTPS site they intend (unless the user really wants to check the source of the page).
An attacker could very well replace the content you serve like this:
<iframe src="https://your.legitimate.example/loginframe" />
with:
<iframe src="https://rogue.site.example/badloginframe" />
or even:
<iframe src="http://rogue.site.example/badloginframe" />
This is very hard to detect for the user, and defeats the security measure you're trying to put in place by enabling login via HTTPS.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With