Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Secure IFRAME nested on non-secure page

Tags:

ssl

cross-domain

iframe

I have a client that, due to specific reasons, needs to place an IFRAME pointing to an HTTPS page on an HTTP page. The HTTP page is hosted on a different domain and server than the HTTPS page, but are both owned by the same client.

Putting aside the reasons why this should not be done, I am finding it difficult to implement in practice.

As one can see on this page: http://www.clevelandutilities.com/obppay.htm there is a HTTPS IFRAME on an HTTP page without any warnings from the browser (Firefox OR IE). However, if I try the same method, both Firefox and IE complain about the certificate.

Any ideas on why that is? I've examined the source at that sample site and can see nothing special being done, yet if I try the same thing I get squawking. Further, if I put the domain that they are using (https://www.paybill.com/cu/), it doesn't complain - if I put our domain it, it complains. Are all SSL certificates created equal?

To boil it down, this works without warnings:

<iframe src="https://www.paybill.com/cu/" width="100%" height="600" scrolling="auto"></iframe>

this does not:

<iframe src="https://www.myclientdomain.com/somepage.php" width="100%" height="600" scrolling="auto"></iframe>

Further, we use an IFRAME-style Facebook app to pipe in to this same HTTPS page, and THAT works with no complaints about the SSL certificate. Huh?!

like image 903
Chris Baker Avatar asked Sep 08 '11 21:09

Chris Baker

1 Answers

After digging a bit, we uncovered that the certificate is specific to www.myclientdomain.com, and the developer in charge had used ...src="https://myclientdomain.com"... in the IFRAME. This was causing the following "Connection is untrusted" error screen:

Untrusted error screenshot

The common practice for the host domain is to never use 'www' in the URL (enforced with .htaccess), whereas the standard for the source domain (the one with the certificate) is to always use it (enforced with .htaccess). That's what lead the other developer to leave it off - that's what he is used to for his site.

If one clicked "I understand the risks" even once for the source domain and added the certificate exception, any visit thereafter would have made it to the htaccess and be redirected to www-, which is why on my (and the other developer's) computer the page would load fine and check out normal in Firebug while our boss got the warning. We had both (apparently) added the exception for one reason or another in the past.

When we put it together, it was a real facepalm moment. Thanks to anyone who had given this question thought, sorry to have not checked the details carefully enough. :)

like image 133
Chris Baker Avatar answered Sep 24 '22 05:09

Chris Baker
Sign in to Comment

Related questions

Return ID of all iframes in a page
css styling the facebook Login Button, best practices
Service Workers from an iframe for Chrome GCM notifications for web
How to access onfocus event from iframe (cross-origin)?
Removing "X-Frame-Options" header for a specific controller only
Cache iframe request with ServiceWorker
HTML as sandboxed iframe's `src` (IE11/Edge)
External website / image size when displayed in a modal popup + iframe
Embedded iframe not scrolling
Render HTML inside a React app using iframe
How to include angular 4 app inside iframe in another app?
How to rename PDF in primefaces media tag
Is there a way to detect the start of a download in JavaScript?
Get url from iframe and update hash in browser url
Permission Denied IE iFrame
Options for Google Maps over SSL
How to compare 2 iframes and get difference visually?
iframe just before unload event
YouTube iFrame API "setPlaybackQuality" or "suggestedQuality" not working
set innerHTML of an iframe

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!