I am creating a small widget and I want to allow others to use it. The iframe is loaded via HTTP - but I want to allow users to login via HTTPS. i.e. Send a request for login via SSL.

Is this allowed within the same-origin policy? i.e. The scenario is that a user can integrate my JavaScript to their website, the widget opens and I want to allow them to login via HTTPS?


Solution 1:

It is generally bad practice to embed an iframe with content served over HTTPS within a page served over plain HTTP (or mix content). The reason for this is that there's no good way for the user to check they're using the HTTPS site they intend (unless the user really wants to check the source of the page).

An attacker could very well replace the content you serve like this:

<iframe src="https://your.legitimate.example/loginframe" />

with:

<iframe src="https://rogue.site.example/badloginframe" />

or even:

<iframe src="http://rogue.site.example/badloginframe" />

This is very hard to detect for the user, and defeats the security measure you're trying to put in place by enabling login via HTTPS.

Solution 2:

@Bruno - I agree, but I would like to point out that even checking the source - as demanding as that is - of the page might not be enough to ensure security or proper/intended destination, since that is often the originally served source text. Unless I'm seriously mistaken, that can be changed easily with in-page or even off-page javascript code (which itself can be obfuscated, if someone really wants to make it next to impossible to find). That said, IF a user has an appropriate browser, I think that they might be able - if they are suspicious to begin with - to check the source of the iframe to determine the source of that code, then determine whether they trust the source... not really a reasonable expectation.

Though all of this could be determined with appropriate debuggers and/or software/DOM inspectors and a good helping of digital elbow grease, the OP cannot reasonably expect everyone to do this (if anyone at all)

Solution 3:

I have done some tests. If you are linking from an https page to another domain with https they need a valid SSL certificate.