HTTP 和 HTTPS iframe [英] HTTP and HTTPS iframe

问题描述

我正在创建一个小部件，我想让其他人使用它.iframe 是通过 HTTP 加载的 - 但我想允许用户通过 HTTPS 登录.即通过 SSL 发送登录请求.

I am creating a small widget and I want to allow others to use it. The iframe is loaded via HTTP - but I want to allow users to login via HTTPS. i.e. Send a request for login via SSL.

这在同源策略中是否允许?即场景是用户可以将我的 JavaScript 集成到他们的网站，小部件打开，我想允许他们通过 HTTPS 登录?

Is this allowed within the same-origin policy? i.e. The scenario is that a user can integrate my JavaScript to their website, the widget opens and I want to allow them to login via HTTPS?

推荐答案

将带有通过 HTTPS 提供的内容的 iframe 嵌入到通过纯 HTTP(或混合内容)提供的页面中通常是不好的做法.这样做的原因是用户没有好的方法来检查他们正在使用他们打算使用的 HTTPS 站点(除非用户真的想检查页面的来源).

It is generally bad practice to embed an iframe with content served over HTTPS within a page served over plain HTTP (or mix content). The reason for this is that there's no good way for the user to check they're using the HTTPS site they intend (unless the user really wants to check the source of the page).

攻击者很可能像这样替换您提供的内容:

An attacker could very well replace the content you serve like this:

<iframe src="https://your.legitimate.example/loginframe" />

与:

<iframe src="https://rogue.site.example/badloginframe" />

甚至:

<iframe src="http://rogue.site.example/badloginframe" />

这对用户来说很难检测到，并且会破坏您通过启用 HTTPS 登录而尝试实施的安全措施.

This is very hard to detect for the user, and defeats the security measure you're trying to put in place by enabling login via HTTPS.

这篇关于HTTP 和 HTTPS iframe的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！