Allow mixed content inside iframe - javascript

The parent site running on https. Inside parent site window a iframe with src https. The iframe has links with http.
Its https(main parent site) => https(iframe) => http(links inside iframe) scenario.
In browser console blocked:mixed content getting logged.
Kindly help to get rid of this error.

this is a browser setting and you did not indicate which browser you are using. Here is info from Firefox on how to disable mixed-content blocking. Note, disabling this increases your security risks. Here is a good article describing the concept so you have a better understanding of why its happening and what the risks are.

Related

Prevent mixed content error when embedding HTTP frame inside an HTTPS parent

When I embed an HTTP frame inside an HTTPS parent, I get a security error in Chrome & Firefox. Is there any workaround to use an iframe tag without getting this error?
In Firefox, there is a preference you can set (security.mixed_content.block_active_content) that will let you see the contents of the iframe. If this is an internal site, you may able to get all your users to switch this preference, but then you're disabling an important security setting. If this is a public site, this is not feasible.
You should modify your site to avoid mixed content.

Understanding Cross-Domain issue in Iframes

This question might seem silly but I need to understand this for clarity.
According to my understanding, cross-domain problem is when the domain of the webpage which contains the IFRAME is different from the domain of the web-page opened in IFRAME.
Going by that logic, nothing should open in IFRAME ever.
When I embed a web-page "bottom:10700" in the IFRAME of my web-page "top:9700", it gives error.I am not able to see the contents in IFRAME. Error is Access denied in accessing property 'constructor'
I am getting the error while accessing the contructor (_1.contructor)
isc.A.Function=function isc_isA_Function(_1){
if(_1==null) return false;
if(isc.Browser.isIE&&typeof _1==this.$a7) return true;
var _2=_1.constructor;
if(_2&&_2.$k!=null){
if(_2.$k!=1)return false;
if(_2===Function)return true
}
This script is run when home page of bottom is opened in an iframe contained in top.
Is there any way, I can make this work. I mean can I set both the domains to be same. I don't have access to remote site's script.
Is resizing the frame after redering it once a cross-domain scenario. If not, then certainly remote site is trying to access the IFRAME element..How can I debug this??
Cross-domain issues are about the communication between iframes. You can always embed any iframe but, if domains differ, iframes cannot interact with each other e.g. execute JS, modify DOM etc.
HTML5 provides a sandbox property that re-enables particular features of the cross-domain iframe interaction. Be careful, it can be dangerous.
It is normal behavior for a page xyz.com to load in an iframe hosted on abc.com. However, you cannot change anything or access its content via code from parent abc.com.
Hope this helped.

Know which page the user is browsing in iframe

I would like to create a web page which is a main page that has one iframe whose content does not come from the same host as the main page but I would like to know which page the user is currently browsing in the iframe.
For example, I have a main page with a button bound with an Javascript event and an iframe that load content from a site like google.
A user can navigate the content in iframe as he wants but when the button in the main page is clicked, the current url in the iframe must be popped up.
I already tried it but since the same origin policy always applies, an error like this
Permission denied to access property 'location' occurs.
I do know that it makes sense according to SOP but I really need to do it.
I would like to know if there is some hack that can do the trick or I have to admit the
restriction and design my app the other way.
If there was such a trick, it would make browser security invalid and expose privacy issues. These things are there for a reason.
You can disable this for YOURSELF, but bypassing it for others is evil.
See:
Disable same origin policy in Chrome

How can I prevent an iframe from accessing parent frame?

I've got a page with an iframe. The page and the source of the iframe are in different domains. Inside the iframe I'm using a rich text editor called CuteEditor (which has turned out to be not so cute). There are certain javascript functions in CuteEditor which try to access 'document' but the browser denies access since they're not in the same domain.
Here's the exact error:
Permission denied to access property 'document'
http://dd.byu.edu/plugins/cuteeditor_files/Scripts/Dialog/DialogHead.js
Line 1
Editing the javascript is out of the question because it's been minfied and obfuscated so all the variable names are cryptic.
Using a different editor is currently out of the question because this is a work project and this is the editor I've been told to use.
Is there a way to keep the iframe self-contained? So it does everything inside the iframe and doesn't try to break out to the parent frame?
If the child iframe is loaded from a different domain, then it will not be able to access the parent page or DOM.
However, there is a still a possible vulnerability to man-in-the-middle attack as follows. Suppose your page loads off http://yoursite.com and the iframe goes to http://badsite.org
first http://badsite.org redirects to http://yoursite.com/badpage
This is the step that requires a man-in-the-middle attack. The attacker must either be able to get between the user and yoursite.com, or control the answers to your DNS lookup. This is easier than it sounds -- anyone who has administrative control over a public WiFi access point could do it (think Starbucks, hotels, airports.) The goal is to serve the content of http://yoursite.com/badpage from the attacker's site, not your actual site.
The attacker can then serve whatever malicious code they like from the (fake) http://yoursite.org/badpage. Because this is in the same domain as the main page, it will have access to the parent DOM.
The HTML5 iframe sandbox attribute seems to be the way to avoid this. You can read the spec, but the best description might be here.
This seems to be supported on Chrome, IE10, FireFox, Safari.
The spec says that if the "allow-same-origin" attribute is not set, "the content is treated as being from a unique origin." This should prevent your child iframe from accessing any part of the parent's DOM, no matter what the browser thinks the URL is.
You shouldn't need to worry about that happening.
The only way iframes can talk cross-origin is with postMessage, and that's only possible if you're listening to that domain directly.
https://developer.mozilla.org/en/DOM/window.postMessage

Iframe Security Issues

We recently had a scenario in which an iframe snippet on a server A was pointing to url on server B. There were some malwares being installed by server A on some clients. Can this iframe be the cause. As in hacker injected his url in the iframe's src. What can be the alternatives to iframe etc.
Most likely you experienced XSS
If a hacker is able to change the URL an iframe points to on your site then the iframe is not the problem, your code is.
Any web site could serve up malware, but you have indicated that the hacker has attacked your site and changed the src attribute of the iframe, not the site serving the iframe contents. Even if you replaced an iframe with something else the fact that an attacker has managed to get to the data behind your web site used to generate the page means that they could not limit themselves to iframes, but embed other tactics, such as a redirect, or a hidden link which is clicked by javascript or any other type of common nasty.
Generally IFrame whose content comes from a different domain cannot access the DOM of the parent web site - due to cross domain scripting restrictions. There were lots of bugs involving browsers not implementing such restrictions properly, so an out-of-date client browser might be the cause.
Unless you're running code inside of the iFrame, which you really shouldn't be, it would be a good idea to disable that iFrame from running any code.

Categories