允许HTTP iFrame在HTTPS父框架上调用JavaScript [英] Allowing HTTP iFrame to call JavaScript on HTTPS parent frame

问题描述

我有一个https页面（ https://example.com/main.php ）有一个非HTTPS源的iframe（ http://example.com/inner.php ） 。这两个文件都在同一个服务器上 - 只有一个是通过https访问的，另一个不是。我需要非https页面才能在https main.php 页面上使用诸如 parent.myfunction（）

I have an https page (https://example.com/main.php) that has an iframe with a non-https source (http://example.com/inner.php). Both files are on the same server - just one is accessed with https and the other is not. I need the non-https page to be able to execute javascript on the https main.php page using code such as parent.myfunction()

但是，当我尝试这个，我得到以下错误：

However, when I try this, I get the following error:

不安全的JavaScript尝试使用网址访问框架 https://example.com/main.php来自具有网址的框架 http://example.com/inner.php 。域，协议和端口必须匹配。

Unsafe JavaScript attempt to access frame with URL https://example.com/main.php from frame with url http://example.com/inner.php. Domains, protocols and ports must match.

我已经设置了 document.domain ='example.com' / code>这两个文件，我以为会修复它，但是，它没有。有没有办法允许框架在父框架上执行javascript，反之亦然？如果是这样，这是什么安全的影响？

I have set document.domain = 'example.com' on both files and I thought that would fix it, however, it does not. Is there any way to allow the frame to execute javascripts on the parent frame and vice-versa? If so, what are the security implications of this?

PS：对于那些建议只使用https或http两个页面的人，我正在研究。但是，由于iframe页面中出现了进程，由于服务器负载问题，这可能不是一个可行的选项。

PS: For those of you that will suggest just using https or http for both pages, I am looking into that. However, due to the processes occuring in the iframe page, this might not be a a feasible option due to server load issues.

推荐答案

同源策略涵盖协议（http或https），主机名和端口号。所有这些都必须匹配或丢失。

The "Same Origin Policy" covers the protocol ("http" or "https"), the hostname, and the port number. All of those have to match or you lose.

如果您的服务器负载真的受到必须对< iframe> 页面，那么我怀疑你有其他更严重的问题。在这个日子里，真的不应该是一个问题。如果您拥有大量高流量网站，那么您可能应该使用前端来执行SSL。

If your server load would really be affected by having to apply encryption to the <iframe> page, then I suspect you've got other, far more serious problems. In this day and age that really shouldn't be an issue. If you've got a massively high-traffic site, then you probably should be using a front-end to do the SSL anyway.

这篇关于允许HTTP iFrame在HTTPS父框架上调用JavaScript的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！