HTTP and HTTPS iframe

by

It is generally bad practice to embed an iframe with content served over HTTPS within a page served over plain HTTP (or mix content). The reason for this is that there’s no good way for the user to check they’re using the HTTPS site they intend (unless the user really wants to check the source of the page).

An attacker could very well replace the content you serve like this:

<iframe src="https://your.legitimate.example/loginframe" />

with:

<iframe src="https://rogue.site.example/badloginframe" />

or even:

<iframe src="http://rogue.site.example/badloginframe" />

This is very hard to detect for the user, and defeats the security measure you’re trying to put in place by enabling login via HTTPS.

More Related Contents:

  1. Can I change all my http:// links to just //?
  2. How to allow http content within an iframe on a https site [duplicate]
  3. When do browsers send the Origin header? When do browsers set the origin to null?
  4. http to https through .htaccess
  5. Why am I suddenly getting a “Blocked loading mixed active content” issue in Firefox?
  6. Dealing with HTTP content in HTTPS pages
  7. Is there any downside for using a leading double slash to inherit the protocol in a URL? i.e. src=”//domain.com”
  8. Easy HTTP requests with gzip/deflate compression
  9. Ideal HTTP cache control headers for different types of resources
  10. Max memory usage of a chrome process (tab) & how do I increase it?
  11. URL without “http|https”
  12. Are Callable Cloud Functions better than HTTP functions?
  13. Reading cookies via HTTPS that were set using HTTP
  14. Correctly switching between HTTP and HTTPS using .htaccess
  15. What is the proper HTTP response to send for requests that require SSL/TLS
  16. HTTPS Proxy Server in node.js
  17. htaccess redirect for non-www both http and https
  18. What is the difference between a URI, a URL and a URN?
  19. Are the PUT, DELETE, HEAD, etc methods available in most web browsers?
  20. How to display the Authentication Challenge in UIWebView?
  21. server socket receives 2 http requests when I send from chrome and receives one when I send from firefox
  22. Is there a cross-domain iframe height auto-resizer that works?
  23. HTTP status code 0 – Error Domain=NSURLErrorDomain?
  24. What is q=0.5 in Accept* HTTP headers?
  25. Is HTTP header Referer sent when going to a http page from a https page?
  26. Cross Origin Resource Sharing with Credentials
  27. How to use Chrome’s network debugger with redirects
  28. What’s the difference between http://*:80 and http://+:80
  29. Standard method for HTTP partial upload, resume upload
  30. How to perform an HTTP POST request in ASP?

Leave a Comment