Passing data between HTTPS and HTTP

Question

I've recently faced a problem involving passing data (small amount), from a page to an iframe.

It was simple when both pages were http - i've used query string to pass information to the iframe and javascript to signal the parent page of process completion.

When iframe location was changed to https, there was a problem accessing the parent by javascript, because https and http are considered different domains - it was solved by using a redirect in the iframe to an ordinary page and invoking javascript from there.

It worked fine, both on IE and FF, yet upon testing a peculiar behavior was discovered. Only in IE, in a scenario when a user visited a page in https domain, went to the http page, and worked with the iframe, after the redirect the script still was unable to run, giving a cryptic exception - TypeError: Access is denied.

I didn't find a way to check the current location of the iframe from the parent page, and the only solution i can see is a crude hack involving ajax polling from the parent http apge.

Despite my advices on changing the page design, or using https on both sides - i still have to find a solution - since other sites, apparently, succeed working this way. I couldn't copy this behavior using Firebug, because those sites don't work with FF, and i couldn't get any results.

I'd like to hear suggestions on solving this problem, but if it's not feasible, I'd like to know this for sure.

Answer 1

Last year on the CCC congres 25C3 there was a presentation about security issues on web pages, and there was a very clear message: don't mix http and https on the same page, that provides an unacceptable risk of man-in-the-middle attacks.

A user has no way to know which part of the page is http and which is https. Combining both on the same page is malpractice, and should be treated as such.

The videos are here

Answer 2

You're running up against same origin policy, and you're correct when you say having a different protocol will mean the origin is not the same and cross frame access will not work.

If you have found some circumstance in which it cross origin access works then this is a bug in that browser and you should report it to the browser maker.

Cookies do flow between HTTP and HTTPS, if they're not marked as HTTPS only, which might be an approach you could consider.

Answer 3

AnthonyWJones Versions of IE - 6,7,8 - not sure about service packs\minor numbers. Firefox was 3.5.

Structure of the app -

https://mydomain/SomeRandomPage

http://mydomain/PageWithInnerIframe

https://mydomain/PageWithIframeContent

Redirect - HTTP 302 to

http://mydomain/UnSecuredIframeContentPage

which has

<script ...>
parent.document ... 
</script>

which fails.

The flow works fine if the user doesn't visit

 https://mydomain/SomeRandomPage 

. Other than that it works (logically) fine - the iframe is already pointing to an HTTP page.

Stephan Eggermont Thanks, I will present this information, along with examples of alternative solutions.

Answer 4

Found a hack for being able to do this, guess I didn't search well enough in the first place.

In the second answer, described by Leonv - The hack

Answer 5

how about document.domain hack on both iframe and parent page?