In the administration of advanced iframe I have written the following note:
“Please do not use a different protocol for the iframe: Do not mix http and https if possible!”.
What does this mean?
- If the protocol of your page is http than use a http page inside the iframe.
- If the protocol of your page is https than use a https page inside the iframe.
But why should you not do this?
1. https with http iframe
Lets start with the one you can not do: Your page is https and your iframe page is http. This scenario is called “Mixed Active Content” and is blocked by all major browsers now. You can open this test page and check the browser console (F12) for the errors you get then!
-> HTTP pages cannot be included directly into HTTPS pages!
2. http with https iframe
-> HTTPS pages can be included into HTTP pages!
What you can do is including an iframe with a https page into a http page. This not recommended as is generally bad practice to embed an iframe with content served over HTTPS within a page served over plain HTTP (or mix content). The reason for this is, that there’s no good way for the user to check they’re using the HTTPS site they intend (unless the user really wants to check the source of the page). They also don’t know that e.g. their login credentials are sent over HTTPS as in the browser address only HTTP is visible.
Also you need to try if your pages are working on all major browsers. I already had users with side effects when it comes to cookies or session handling!
My recommendation is to upgrade your http page to https!
- Enable “Use post message for communication” on the “External workaround” tab.
- Copy the generated ai_external.js to a https domain and include it from there! Remember to copy the ai_external.js each time you change something with the “save” icon in the administration.
Have fun using advanced iframe (pro),