开发者

How to make a page with an HTTPS iframe appear secure

开发者 https://www.devze.com 2022-12-25 00:33 出处:网络
I have a page on a website that contains a secure form inside an i开发者_StackOverflow中文版frame. Although the form data submitted is secure the page doesn\'t appear secure as the URL in the browser

I have a page on a website that contains a secure form inside an i开发者_StackOverflow中文版frame. Although the form data submitted is secure the page doesn't appear secure as the URL in the browser is just HTTP. Is there anything I can do to show the users that the form is secure?


Although the form data submitted is secure

It may or may not be encrypted. But it's not secure, and the browser is absolutely correct to deny you a padlock icon.

If the parent page is http, then that page could easily have been altered by a man-in-the-middle attack to point the usually-secure <iframe> to a completely different server to the expected one. Or, the parent page might have had JavaScript injected into it to log any keypresses you make into the form and send them to the attacker's server.

The user would have no way of checking whether this had happened, short of viewing the page source and reading and understanding every line of markup and script inside it. This is absolutely unrealistic.

If you aren't on a page where all content is secured by https, any submission from that page is insecure, regardless of where the form action is pointed.


Open the form in a new window or host the container page on a secure server. Users have a right to be skeptical of an insecure page hosting a supposedly secure page -- it's practically begging for XSS attacks.


Whether the host page is secured or not, placing https secured pages inside an iframe is not a good idea. Even https pages are not invulnerable to xss and MIM attacks. The only way to avoid any confusion as to which domain/web server your web browser is talking to is go direct to the source page - i.e. the one you are trying to put inside your iframe.

Iframes are a convenient way to quickly include content from another page/site, but they open up a whole bunch of opportunities to the dishonest!


Nothing that will trigger the usual browser "This is secure" indicators.

0

精彩评论

暂无评论...
验证码 换一张
取 消