Why you should not mix http and https when using iframes

In the administration of advanced iframe I have written the following note:

"Please do not use a different protocol for the iframe: Do not mix http and https if possible!".

What does this mean?

  1. If the protocol of your page is http than use a http page inside the iframe.
  2. If the protocol of your page is https than use a https page inside the iframe.

But why should you not do this?

1. https with http iframe

Lets start with the one you can not do:  Your page is https and your iframe page is http. This scenario is called "Mixed Active Content" and is blocked by all major browsers now. You can open this test page and check the browser console (F12) for the errors you get then!

-> HTTP pages cannot be included directly into HTTPS pages!

2. http with https iframe

-> HTTPS pages can be included into HTTP pages!

What you  can do is including an iframe with a https page into a http page. This not recommended as is generally bad practice to embed an iframe with content served over HTTPS within a page served over plain HTTP (or mix content). The reason for this is, that there's no good way for the user to check they're using the HTTPS site they intend (unless the user really wants to check the source of the page). They also don't know that e.g. their login credentials are sent over HTTPS as in the browser address only HTTP is visible.
Also you need to try if your pages are working on all major browsers. I already had users with side effects when it comes to cookies or session handling!

My recommendation is to upgrade your http page to https!

IF YOU STILL WANT TO DO THIS: The external workaround is by default NOT working in this setup as the Javascript is than loaded from an http domain which is blocked! To get this working in the pro version you need to

  1. Enable "Use post message for communication" on the "External workaround" tab.
  2. Copy the generated ai_external.js to a https domain and include it from there! Remember to copy the ai_external.js each time you change something with the "save" icon in the administration.

See a working example here: http://www.tinywebgallery.com/blog/advanced-iframe/advanced-iframe-pro-demo/external-workaround-with-post-message#e53

Have fun using advanced iframe (pro),
Michael

 

10 Comments

  1. Rich

    Might this be a problem recently (within about a week) with an http frame via godaddy’s forwarding with masking to an https google sites page? And/or relating to changes being made due to the https/SSL heartbleed bug?

    Thanks,

    Rich

  2. Jerry

    I don’t understand the stackoverflow advice.

    How is the situation in which a rogue agent can change the target of an http -> https iframe any different from from an http -> http iframe?

    That seems to a problem with ANY iframe, or indeed any http website in where an attacker can hijack the html served with that site.

    Isn’t it?

  3. This is of course is a problem of any iframe. It simply says that mixing is bad practice even if it does work when you include https pages into a http page.

    Best, Michael

  4. Rick

    The problem with the parent page being http and iframe https, is that an attacker could be a man-in-the-middle, where they are replacing the content after it leaves the server but before it arrive to the client’s browser without having to crack any encryption. If you have SSL on the parent page, then the only easy (as in, you don’t have state sponsored resources) alternative to changing the URL is to have some kind of existing vulnerability on the client side.

  5. Hi Michael

    Love Advanced iFrame, purchased it awhile back, but have a question as I’m not a coder/technical.

    I set up an iframe to change url’s on the parent page as the content changes – excellent!

    However, I am wondering if there is a way to “clean up” the url to get rid of the “?page=%2F” and the “%2F” that are at the beginning and end of the path in the url (e.g., http://domain.com/?page=%2Ffilename%2F.
    Instead, We just want “http://domain.com/filename”.

    Thanks, and will await your reply!

    Best,
    Cliff

  6. No – because http://domain.com/filename does not exist. You need to create rewrite rules together with plugin changes. This is actually a programming task where you also have to know how to rewrite urls. So the plugin does not directly support this as I think as this is too complicated to setup for 99,9% of the WordPress users.
    I might will create a working setup which can be used as a template if someone wants this customization.

  7. Paul N

    Any way I could get some assistance with http and https setup? I have https but the iframe I need is http

Comments are closed, but trackbacks and pingbacks are open.