Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
253 views
in Technique[技术] by (71.8m points)

HTTP and HTTPS iframe

I am creating a small widget and I want to allow others to use it. The iframe is loaded via HTTP - but I want to allow users to login via HTTPS. i.e. Send a request for login via SSL.

Is this allowed within the same-origin policy? i.e. The scenario is that a user can integrate my JavaScript to their website, the widget opens and I want to allow them to login via HTTPS?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

It is generally bad practice to embed an iframe with content served over HTTPS within a page served over plain HTTP (or mix content). The reason for this is that there's no good way for the user to check they're using the HTTPS site they intend (unless the user really wants to check the source of the page).

An attacker could very well replace the content you serve like this:

<iframe src="https://your.legitimate.example/loginframe" />

with:

<iframe src="https://rogue.site.example/badloginframe" />

or even:

<iframe src="http://rogue.site.example/badloginframe" />

This is very hard to detect for the user, and defeats the security measure you're trying to put in place by enabling login via HTTPS.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...