HTTP和HTTPS iframe [英] HTTP and HTTPS iframe

问题描述

我正在创建一个小部件，我想允许其他人使用它。 iframe 是通过HTTP加载的 - 但我想允许用户通过HTTPS登录。即通过SSL发送登录请求。

I am creating a small widget and I want to allow others to use it. The iframe is loaded via HTTP - but I want to allow users to login via HTTPS. i.e. Send a request for login via SSL.

同源策略中允许这样做吗？ ie方案是，用户可以将我的JavaScript集成到他们的网站，小部件打开，我想允许他们通过HTTPS登录？

Is this allowed within the same-origin policy? i.e. The scenario is that a user can integrate my JavaScript to their website, the widget opens and I want to allow them to login via HTTPS?

推荐答案

在通过纯HTTP（或混合内容）提供的页面内嵌入带有通过HTTPS提供的内容的iframe通常是不好的做法。这样做的原因是，用户没有好的方法来检查他们使用他们打算的HTTPS网站（除非用户真的想检查页面的源）。

It is generally bad practice to embed an iframe with content served over HTTPS within a page served over plain HTTP (or mix content). The reason for this is that there's no good way for the user to check they're using the HTTPS site they intend (unless the user really wants to check the source of the page).

攻击者可以非常好地替换您所提供的内容，如下所示：

An attacker could very well replace the content you serve like this:

<iframe src="https://your.legitimate.example/loginframe" />

其中：

<iframe src="https://rogue.site.example/badloginframe" />

或甚至：

<iframe src="http://rogue.site.example/badloginframe" />

这很难检测到用户，并且违反了您尝试的安全措施通过启用通过HTTPS登录。

This is very hard to detect for the user, and defeats the security measure you're trying to put in place by enabling login via HTTPS.

这篇关于HTTP和HTTPS iframe的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！