允许 HTTP iFrame 在 HTTPS 父框架上调用 JavaScript

发布于 2024-09-11 17:07:38 字数 900 浏览 5 评论 0原文

我有一个 https 页面 (https://example.com/main.php),其中包含一个 iframe非 https 源 (http://example.com/inner.php)。两个文件都位于同一服务器上 - 只有一个可以通过 https 访问,而另一个则不能。我需要非 https 页面能够使用诸如 parent.myfunction() 之类的代码在 https main.php 页面上执行 javascript

但是,当我尝试这样做时,我收到以下错误:

不安全的 JavaScript 尝试访问 URL https://example.com/main.php 的框架网址为 http://example.com/inner.php 的框架。域、协议和端口必须匹配。

我已经在两个文件上设置了 document.domain = 'example.com' ,我认为这可以修复它,但是,它没有。有没有什么方法可以让框架在父框架上执行javascript,反之亦然?如果是这样,这会带来什么安全影响?

PS:对于那些建议在两个页面都使用 https 或 http 的人,我正在研究这一点。但是,由于 iframe 页面中发生的进程,由于服务器负载问题,这可能不是一个可行的选项。

I have an https page (https://example.com/main.php) that has an iframe with a non-https source (http://example.com/inner.php). Both files are on the same server - just one is accessed with https and the other is not. I need the non-https page to be able to execute javascript on the https main.php page using code such as parent.myfunction()

However, when I try this, I get the following error:

Unsafe JavaScript attempt to access frame with URL https://example.com/main.php from frame with url http://example.com/inner.php. Domains, protocols and ports must match.

I have set document.domain = 'example.com' on both files and I thought that would fix it, however, it does not. Is there any way to allow the frame to execute javascripts on the parent frame and vice-versa? If so, what are the security implications of this?

PS: For those of you that will suggest just using https or http for both pages, I am looking into that. However, due to the processes occuring in the iframe page, this might not be a a feasible option due to server load issues.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

当爱已成负担 2024-09-18 17:07:38

“同源策略”涵盖协议(“http”或“https”)、主机名和端口号。所有这些都必须匹配,否则你就输了。

如果您的服务器负载确实会因必须对 页面应用加密而受到影响,那么我怀疑您还有其他更严重的问题。在当今时代,这确实不应该成为问题。如果您有一个高流量站点,那么您可能应该使用前端来执行 SSL。

The "Same Origin Policy" covers the protocol ("http" or "https"), the hostname, and the port number. All of those have to match or you lose.

If your server load would really be affected by having to apply encryption to the <iframe> page, then I suspect you've got other, far more serious problems. In this day and age that really shouldn't be an issue. If you've got a massively high-traffic site, then you probably should be using a front-end to do the SSL anyway.

瀞厅☆埖开 2024-09-18 17:07:38

如果曾经可能实现您所要求的操作,那么任何受 SSL 保护的网站都不会是安全的。

让我描述一下问题。假设用户 Alice 访问她在 Paypal.com 上的帐户。我,马洛里,介于 Paypal 和 Alice 之间。当 Alice 访问 Paypal 时,我拦截她的请求并返回一个包含两件事的页面:一个带有 https://paypal.com 的框架,以及一个包含我自己制作的声称为“http://my.paypal.com”的页面。 HTTPS 帧验证良好,因为它实际上来自 Paypal。 HTTP 帧包含我设备的一些 Javascript,它将进入 HTTPS 帧,当 Alice 输入她的密码时,它会将其发送给我!

因此,不,即使在同一域中,也不能从不安全的内容访问安全的内容。

If it were ever possible to do what you are asking to do, no SSL-secured web site would ever be safe.

Let me describe the problem. Let's say a user, Alice, goes to access her account on Paypal.com. I, Mallory, am between Paypal and Alice. As Alice accesses Paypal, I intercept her request and return a page containing two things: one frame with https://paypal.com, and one containing a page purporting to be 'http://my.paypal.com', which I crafted myself. The HTTPS frame validates fine because it actually came from Paypal. The HTTP frame contains some Javascript of my device which will reach into the HTTPS frame, and when Alice enters her password it will send it to me!

So no, it's not OK to access secure content from insecure content, even on the same domain.

淡淡の花香 2024-09-18 17:07:38

您无法使用 JavaScript 进行跨域/跨协议/跨端口访问。这被称为“跨域脚本”,这是一个问题,因为如果没有这样的安全性,我可以在 iframe 中打开 GMail,获取“u”和“p”文本框,并获得这样的用户登录信息。

除了使用回显服务器之外,您在 PS 中放入的内容是您可以使用的唯一真正的解决方案......这将是多余的。

You can not do cross-domain/cross-protocol/cross-port access with JavaScript. This is known as "cross domain scripting", which is an issue since without security like this, I could open up GMail in an iframe, get the "u" and "p" textboxes, and have a user's login info like that.

What you put in your PS is the only real solution you can use besides using an echo server... which would be overkill.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文