HTTPS iframe on an HTTP page, how can I stop this?

Question

HTTPS iframe on an HTTP page, how can I stop this?

I am looking for a flight ticket, and I need to enter my credit card information on the http: // page, which looks like this:

If I look at the source code, it is actually an iframe with an HTTPS source, so it is really safe, but a non-technical expert is not aware of this. Obviously, this is terrible (even for advanced users).

Now, to my question, if I were a site offering this iframe (in this case Verified by Visa), is there a way to make modern browsers not allow my page to be used as an iframe on http: //, but still allow it to be used like iframe on https: // pages? Is there a method that Verified by Visa should really use here?

+4

security https iframe

Flimm 20 . '16 21:32

1

bobince · Accepted Answer · 2016-01-20T23:41:32+0000

, http://page

! - PCI-DSS .

, iframe HTTPS, , , , .

. , script , , iframe (, clickjacking) , iframe. , , , cross-document- script ... .

, iframe ( Verified by Visa), iframe http://, iframe https://?

, , Content Security Policy Level 2, , :

Content-Security-Policy: frame-ancestors https:

: IE Safari , , , , 3-D Secure-. , , , , .

, , Referer http: address. (, , , , ), .

HTTPS iframe on an HTTP page, how can I stop this?

More articles: