Why you should not mix http and https when using iframes

In the administration of advanced iframe I have written the following note:

“Please do not use a different protocol for the iframe: Do not mix http and https if possible!”.

What does this mean?

  1. If the protocol of your page is http than use a http page inside the iframe.
  2. If the protocol of your page is https than use a https page inside the iframe.

But why should you not do this?

1. https with http iframe

Lets start with the one you can not do:  Your page is https and your iframe page is http. This scenario is called “Mixed Active Content” and is blocked by all major browsers now. You can open this test page and check the browser console (F12) for the errors you get then!

-> HTTP pages cannot be included directly into HTTPS pages!

2. http with https iframe

-> HTTPS pages can be included into HTTP pages!

What you  can do is including an iframe with a https page into a http page. This not recommended as is generally bad practice to embed an iframe with content served over HTTPS within a page served over plain HTTP (or mix content). The reason for this is, that there’s no good way for the user to check they’re using the HTTPS site they intend (unless the user really wants to check the source of the page). They also don’t know that e.g. their login credentials are sent over HTTPS as in the browser address only HTTP is visible.
Also you need to try if your pages are working on all major browsers. I already had users with side effects when it comes to cookies or session handling!

My recommendation is to upgrade your http page to https!

IF YOU STILL WANT TO DO THIS: The external workaround is by default NOT working in this setup as the Javascript is than loaded from an http domain which is blocked! To get this working in the pro version you need to

  1. Enable “Use post message for communication” on the “External workaround” tab.
  2. Copy the generated ai_external.js to a https domain and include it from there! Remember to copy the ai_external.js each time you change something with the “save” icon in the administration.

See a working example here: https://www.tinywebgallery.com/blog/advanced-iframe/advanced-iframe-pro-demo/external-workaround-with-post-message#e53

Have fun using advanced iframe (pro),
Michael