using iframes within secure pages - browser

Since iframes no longer work on my site since I secured it. What would be the best way to display external content on an https page. Is there an alternative or is there simply no way around the mixed content rule?

It is possible to display content in iframe, you just need to use https protocol when you embed your iframe.
This means of course that the source site you are embedding must support https.
Forgot to add as well, that the site you are embedding, could have some iframe/embed restrictions, like for example Facebook:
Refused to display 'https://www.facebook.com/' in a frame because it set 'X-Frame-Options' to 'DENY'.

Related

I want one particular page to not take https

I have this one page which has an iframe inside of which a survey page is embedded, unfortunately i'm getting "Your connection is not secure" error inside the iframe. Does anyone know how to fix this issue? By the way, the website is SSL certified, not the page i'm trying include inside the iframe. Also this is a php site not wordpress.
Thanks
You are always going to have this problem when an HTTPS page references non secured content. You options are:
move the page hosting the iframe (and its associated content) outwith HTTPS. Although, in theory a HTTP page should be able to reference HTTPS hosted javascript, CSS and images without emitting warnings, this will probably vary by browser
move the survey page into HTTPS. I am guessing that you don't host this yourself - have you contacted the provider to ask if they can provide the service via HTTPS? Have you considered using a different provider?
proxy the HTTP survey page via your server - this would require some clever configuration on the webserver or terminating the SSL connection in front of a proxy operating in reverse mode for your service and rewriting/forwarding mode for the survey. Basically, if you don't control the infrastructure this is probably a non-starter.
re-implement the survey capability within your own site.
Bear in mind that as soon as your site is exposed outside of HTTPS it becomes vulnerable to more attacks.
.htaccess is not going to help - it overrides the behaviour within a vhost - the HTTP and HTTPS sites will operate in seperate vhosts.

How to make web page only allowed accessed by iframe

I have an application that embedding the content from another server via iframe. how to prevent the iframe content accessed directly over browser?
this is my page that embedding with iframe :
http://10.1.1.1/pustaka/random/parameter
and this is my iframe content server :
http://10.1.1.2/flipbook/folder/related/to/random/parameter
How to use .htaccess to allow page access in my iframe but not directly?
Try searching around for answers =] I believe this one will help you out, though.

Embed secure iframe content on secure site from separate domain. Will this work?

I need to display a secure form from site A on an insecure site (site B).
I've found quite a bit of information on the dangers of embedding content from a secure site on a non-secure site using iFrame. I'm sold that this is a no-go.
My question is this: will making site B https solve my problem? Can I embed a secure form on a secure site (two different domains) using iFrame?
Some things that might help: the form is generated on a site called Blackbaud Sphere which gives me very little control over how the page is generated. It's like a google form but with financial data, purchases, etc.
Thanks!
Yes, you can. It is perfectly valid to have an iFrame from a different domain provided that you are not mixing secure and insecure content.

Displaying external web pages that do not allow iframe embedding in WinJS

My current understanding is that the only way to display external web pages in the WinJS app is to use iframes. This seems to be a limitation, since I am not able to embed youtube links or twitter search links.
eg. http://www.youtube.com/watch?v=diP-o_JxysA
How do I go about displaying these webpages? Are there any workarounds for this limitation other than the run your own proxy solutions.
You cannot without running your own proxy and modifying the headers, or modifying the headers directly on the host server.
Note that for other types of resources, like login pages that don't like to be iframed (e.g. Salesforce.com), you can use the WebAuthenticationBroker.

What ways can you secure a web page so that it can ONLY be viewed from within an iFrame?

This thread was created back in 2008 Restricting IFRAME access in PHP
I am looking to do almost the exact same thing. i.e. I want to have sites which are publicly accessible as long as they are being viewed from a specific iFrame, from a specific app. The IFrame app will have user authentication giving them access to urls outside the core application. The urls are all likely to be built using Open Source PHP tools e.g. Wordpress.
Both the viewing iFrame and the viewed sites/pages will be owned by us.
Have there been any developments in last few years on ways to do this?
For various reasons not related to this particular issue, I am considering using the serverside RIA framework Vaadin (JAVA) for building the app that will contain the iFrame viewer.
The demo of the embed widget is here http://demo.vaadin.com/sampler#WebEmbed Looking at the page source I don't see anywhere that the address of the embedded webpage is displayed. So to some extent I wonder if I can hide my urls from search engines, give them very long, randomly generated URI's and maybe they will be impossible to find anyway?
You should be able to modify a framekiller to do the opposite. A framekiller is a piece of javascript to prevent clickjacking by detecting if the page has been loaded within an iframe.
Limiting the iframe to load within a specific page is more difficult. Looking at the referer is easy, but also easy to bypass. If you load the iframe from an https page the referer will be blank. A better way would be to require the server to obtain a Nonce and include this in the iframe url. Such as http://iframe_url?key=difhj8j84528423j423894hfdj897 or whatever. Having the server make a request to your server would be ideal. Doing it with client side code and jsonp to fetch the nonce is problematic because an attacker could deliver modified javascript to fetch the nonce.

Resources