tags:

views:

283

answers:

3
+1  Q: 

Allowing http iframe to call javascript on https parent frame

I have an https page (https://example.com/main.php) that has an iframe with a non-https source (http://example.com/inner.php). Both files are on the same server - just one is accessed with https and the other is not. I need the non-https page to be able to execute javascript on the https main.php page using code such as parent.myfunction()

However, when I try this, I get the following error:

Unsafe JavaScript attempt to access frame with URL https://example.com/main.php from frame with url http://example.com/inner.php. Domains, protocols and ports must match.

I have set document.domain = 'example.com' on both files and I thought that would fix it, however, it does not. Is there any way to allow the frame to execute javascripts on the parent frame and vice-versa? If so, what are the security implications of this?

PS: For those of you that will suggest just using https or http for both pages, I am looking into that. However, due to the processes occuring in the iframe page, this might not be a a feasible option due to server load issues.

+3  A: 

The "Same Origin Policy" covers the protocol ("http" or "https"), the hostname, and the port number. All of those have to match or you lose.

If your server load would really be affected by having to apply encryption to the <iframe> page, then I suspect you've got other, far more serious problems. In this day and age that really shouldn't be an issue. If you've got a massively high-traffic site, then you probably should be using a front-end to do the SSL anyway.

Pointy  2010-07-26 00:15:49
A: 

You can not do cross-domain/cross-protocol/cross-port access with JavaScript. This is known as "cross domain scripting", which is an issue since without security like this, I could open up GMail in an iframe, get the "u" and "p" textboxes, and have a user's login info like that.

What you put in your PS is the only real solution you can use besides using an echo server... which would be overkill.

ItzWarty  2010-07-26 00:17:16
A: 

If it were ever possible to do what you are asking to do, no SSL-secured web site would ever be safe.

Let me describe the problem. Let's say a user, Alice, goes to access her account on Paypal.com. I, Mallory, am between Paypal and Alice. As Alice accesses Paypal, I intercept her request and return a page containing two things: one frame with https://paypal.com, and one containing a page purporting to be 'http://my.paypal.com', which I crafted myself. The HTTPS frame validates fine because it actually came from Paypal. The HTTP frame contains some Javascript of my device which will reach into the HTTPS frame, and when Alice enters her password it will send it to me!

So no, it's not OK to access secure content from insecure content, even on the same domain.

Borealid  2010-07-26 00:25:09

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript