UPDATE # 1
The basis of the browser security model is a policy of the same origin, which protects websites from each other. This tutorial provides a step-by-step detailed example: Security in depth: local web pages
Shortly speaking,
Should the web page come from the local file system and not from the Internet? Consider the following hypothetical attack if your browser did not limit the power of local pages:
- You receive an email from an attacker containing a web page as the application you are downloading.
- You open a local web page in your browser.
- The local web page creates an
<iframe> , whose source is https://mail.google.com/mail/ . - Since you are logged in to Gmail, the frame uploads messages to your inbox.
- The local web page reads the contents of the frame, using JavaScript to access
frames[0].document.documentElement.innerHTML . (A web page on the Internet will not be able to complete this step because it will be due to non-Gmail origin; the policy of the same origin to prevent reading from working.) - The local web page puts the contents of your mailbox in
<textarea> and sends the data through the POST form to the attacking web server. Now the attacker has your mailbox, which can be useful for spamming or identifying theft.
There is nothing Gmail can do to protect against this attack. Accordingly, browsers prevent this by making various steps in the above scenario difficult or impossible.
Allows opening a file: // links to pages loaded by http (s): // scheme
The Chrome security model prevents / blocks the user from being able to open the file: // links when the user selects (left clicks) a link or chooses to open them in a new window (middle click). Download this extension to let you follow the file: // links when you explicitly select them (left click / middle click). HTML elements that follow are such as <a href="file://server/share/file.txt"> or <a href="file://c:/localdiskfile.txt"> .
NOTE. It cannot load images (for example, <img src="file://..." /> )!
To open the link on the same tab, use the left mouse button.
To open the link in a new background tab, use the middle mouse button.
This extension is modeled after the LocalLink add-on for Firefox.
Read http://blog.chromium.org/2008/12/security-in-depth-local-web-pages.html
CHANGES in this version: + Respect target = "_blank" attribute on left click
See the full change log at http://code.google.com/p/locallinks/wiki/CHANGELOG
There are 2 more types of security issues.
- to call iframe with https from your http server.
- to call iframe with http from your https server.
The Mozilla Foundation has provided details here: https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
Policy of the same descent from
The origin policy restricts how a document or script downloaded from one source can interact with a resource from another source. This is a critical security mechanism for isolating potentially malicious documents.
Determination of origin
Two pages have the same origin if the protocol, port (if specified) and host are the same for both pages. The following table provides examples of origin comparisons with the URL http://store.company.com/dir/page.html :
-------------------------------------------------------------------------------- URL | Outcome | Reason | -------------------------------------------------------------------------------- http://store.company.com/dir2/other.html | Success | | -------------------------------------------------------------------------------- http://store.company.com/dir/inner/another.html | Success | | -------------------------------------------------------------------------------- https://store.company.com/secure.html | Failure | Different protocol| -------------------------------------------------------------------------------- http://store.company.com:81/dir/etc.html | Failure | Different port | -------------------------------------------------------------------------------- http://news.company.com/dir/other.html | Failure | Different host | --------------------------------------------------------------------------------
How it works?
- If the protocol of your page is http, then use the http page inside the iframe.
- If the protocol of your page is https, use the https page inside the iframe.
But why shouldn't you do it?
1. https with http iframe
Let's start with what you shouldn't do: your page has https, and your iframe page has http. This script is called "Mixed Active Content" and is blocking more and more browsers.
I found a good description from the developer from Firefox on this topic: https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/
There, for example, you will find the following: Firefox and Internet Explorer view frames of mixed active content, while Chrome considers frames of mixed passive content. This means that Firefox and Internet Explorer block the iframe while Chrome is not working yet.
2. http with https iframe
Another way includes an iframe with an https page in the http page.
This is how you can do this, but is not recommended (see why below)! If you really have no other way, try if it works on all major browsers. I already had users with side effects when it comes to cookies or session processing!
The following section is devoted to HTTP and HTTPS iframes :
As a rule, it is incorrect to use the built-in iframe with content served via HTTPS on a page served by simple HTTP (or mixed content). The reason for this is that there is no good way to verify that the user is using the HTTPS site that they intend to (unless the user wants to check the source of the page).
An attacker can very well replace the content you serve as follows:
<iframe src="https://your.legitimate.example/loginframe" width="300" height="150">
with:
<pre><iframe src="https://rogue.site.example/badloginframe"></iframe>
or even:
<iframe src="http://rogue.site.example/badloginframe"></iframe>
This is very difficult to detect for the user and defeats the security measure that you are trying to implement by enabling login via HTTPS.
So, I hope you will no longer mix content;).
IF YOU REALLY WANT TO DO THIS: An external workaround by default DOES NOT work in this setting because Javascript is loaded from a blocked http domain. To get this job you need
- Enable "Use message message for communication" on the "External workaround" tab.
- Copy the created ai_external.js to the https domain and enable it from there! Do not forget to copy ai_external.js every time you change something using the "save" icon in the administration.
For more information, you can follow this link: fooobar.com/questions/32658 / ...