views:

41

answers:

1

Hi Guys,

I am creating a small widget and I want to allow others to use it. The iFrame is loaded from HTTP - but I want to allow users to login via HTTPS i.e. that is - send a request for login via SSL

Is this allowed within the same-origin policies or ? i.e. the scenario is that a user can integrate my javascript to their website, the widget opens and i want to allow them to login via https ?

Any help would be hugely appreciated :)

A: 

It is generally bad practice to embed an iframe with content served over HTTPS within a page served over plain HTTP (or mix content). The reason for this is that there's no good way for the user to check they're using the HTTPS they intend (unless the user really wants to check the source of the page).

An attacker could very well replace the content you serve like this:

<iframe src="https://your.legitimate.example/loginframe" />

with:

<iframe src="https://rogue.site.example/badloginframe" />

or even:

<iframe src="http://rogue.site.example/badloginframe" />

This is very hard to detect for the user, and defeats the security measure you're trying to put in place by enabling login via HTTPS.

Bruno