I'm in the in the process of developing an application for a client, which will have an SSL certificate and be served under https. However, to integrate with their existing site they want to provide their navigation inside an iframe.
I can see this causing trouble, as I'd expect the browser to complain about the mix of secure and insecure content on the page. I've had a look at similar questions on here and they all seem to refer to this the other way round (secure content in the iframe).
What I'd like to know, then, is: will it cause issues to have insecure content included inside an iframe, placed on a secure page , and if so what sort of problems would they be?
Ideally if it's not a good idea (and I have a strong feeling that it isn't) I need to be able to explain this to the client.
iframe injection is a very common cross-site scripting attack. iframes use multiple tags to display HTML documents on web pages and redirect users to different web addresses. This behavior allows 3rd parties to inject malicious executables, viruses, or worms into your application and execute them in user's devices.
You cannot fix this from Power Apps Portal side. Most probably web site that you try to embed as an iframe doesn't allow to be embedded. You need to update X-Frame-Options on the website that you are trying to embed to allow your Power Apps Portal (if you have control over that website).
If your page is http then it allows iframe with https content.
But if your page is https then it does not allow http content.
Lets put down following possibilities.
page - iframe - status http - http - allowed http - https - allowed https- http - not allowed https- https - allowed
If your page is being accessed using https://www.example.com/main/index.jsp
(SSL) then your browser will complain with "This page contains both secure and insecure items" if there are any resources in the HTML code that are referenced with http://
(non-SSL). This includes iframes.
If your navigation page is hosted on the same server then you can prevent the "insecure content" message by using a relative URL like this...
<iframe src="/app/navigation.jsp" />
From your question it sounds like your navigation page is being served from a separate host and you're being forced to use something like this
<iframe src="http://otherserver.example.com/app/navigation.jsp" />
which will of course cause the "insecure content" message in your browser.
Your only solutions are to either
implement SSL on the server holding your navigation page so you can use https://
for your iframe reference, or
move the navigation application to the same server so you can use a relative URL.
Personally I can't see why your navigation would be on a different host because then you're going to get JavaScript cross-domain scripting issues (unless some funky JSONP is involved).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With