Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

SSL iframe is embedded on other web site

Tags:

security

ssl

iframe

dns

Iframe from domain with SSLcertificate will be embedded on other site (foo.com).

  1. Must foo.com have SSL cerificate?
  2. If foo.com has SSL certificate, will it be an security error? foo.com has SSL certificate for foo.com, but iframe domain has other SSL certificate.
  3. If foo.com hasn't got SSL certificate, will it be an security error?
like image 375
Sanhe Avatar asked Mar 05 '10 15:03

Sanhe

People also ask

Can any website be embedded in an iframe?

Embedding webpages using an IFrame. An IFrame is HTML code that you can use to embed one HTML page, PDF page, another website, or other web safe file into a another webpage inside a window. The window can be styled using css code. IFrames do not make a website a "framed" site and do not affect SEO.

Is iframe embedded?

Iframes are most often used to embed specific content from one web page — like a video, form, document, or even a full web page — within a different web page. This is a powerful capability in HTML — you can take any content from any website (with permission) and place it on your own site to enhance your content.

Can you embed a website into another website?

Embed means to integrate external content into another website or page. You embed something when you place a block of code — called an embed code — into the HTML editor of another website. When you hit 'Save' or 'Publish,' the media then renders on the published page. Embedded content is referenced with HTML.

3 Answers

  1. No.
  2. You will only get a security error if the embedding site uses SSL, but the iFramed one does not. Whether the sites use different certificates or not, that does not matter.
  3. No. (Isn't this the same question as #1?)

Summary

Having different certificates between the main page and iframed pages is not a problem.

Embedding https:// pages with <iframe /> on a http:// page is not a problem.

However, if you are running a https:// secured page that embeds non-secure pages via http://, then you might get something like this (Internet Explorer):

enter image description here

It depends on the browser and its settings. For example, in IE you can turn this off:

enter image description here

like image 128
Tower Avatar answered Sep 17 '22 18:09

Tower

The best way to look at an iFrame is to see it as almost a separate browser. In the case of foo.com not being SSL but the iFramed site being SSL you will not get any errors.

If you switch this around, where foo.com has SSL and the IFramed site doesn't, you can get a security warning about mixed-content from the browser.

like image 31
Mitchel Sellers Avatar answered Sep 18 '22 18:09

Mitchel Sellers

It does not matter if the two websites use different SSL certificates. However, if the website that is being iframed is not SSL protected you will get a partially encrypted error message even if the website with the iframe embedded on it is SSL protected. I only know this because this is what I am dealing with right now. My web page was only secured after I took out the iframed website that did not have SSL protection.

like image 23
Ben Lewis Avatar answered Sep 20 '22 18:09

Ben Lewis
Sign in to Comment

Related questions

log4j-vulnerability - Is log4j1.2.17 vulnerable (was unable to find any jndi code in source)?
HttpServletRequest.getRemoteUser() vs HttpServletRequest.getUserPrincipal().getName()
HTML encode user input when storing or when displaying
WebSockets authentication
java.security.NoSuchAlgorithmException:Cannot find any provider supporting AES/ECB/PKCS7PADDING
Is it ever ok to store password in plain text in a php variable or php constant?
Rails: How to implement protect_from_forgery in Rails API mode
Attack Protection for iOS In-App Purchases
How to send secure AJAX requests with PHP and jQuery
Login disallowed for security reasons postgresql centos server
Angular 2: sanitizing HTML stripped some content with div id - this is bug or feature?
Preventing bot form submission
iptables LOG and DROP in one rule
How secure is PHP?
How to secure string in Android Application?
How do I secure Socket.IO?
Having a POST'able API and Django's CSRF Middleware
What to use as the developer payload in Google In-App Billing APIs?
What's the most secure possible Devise configuration?
Practical applications of homomorphic encryption algorithms?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!