安全页面上 iframe 中的不安全内容
我正在为客户端开发一个应用程序,该应用程序将具有 SSL 证书并在 https 下提供服务。然而,为了与现有网站集成,他们希望在 iframe 内提供导航。
我可以看到这会造成麻烦,因为我希望浏览器会抱怨页面上混合了安全和不安全的内容。我在这里查看了类似的问题,它们似乎都以相反的方式提到了这一点(iframe 中的安全内容)。
那么,我想知道的是:将不安全的内容包含在 iframe 中并放置在安全页面上是否会导致问题,如果是的话,它们会是什么类型的问题?
理想情况下,如果这不是一个好主意(我强烈感觉它不是),我需要能够向客户解释这一点。
I'm in the in the process of developing an application for a client, which will have an SSL certificate and be served under https. However, to integrate with their existing site they want to provide their navigation inside an iframe.
I can see this causing trouble, as I'd expect the browser to complain about the mix of secure and insecure content on the page. I've had a look at similar questions on here and they all seem to refer to this the other way round (secure content in the iframe).
What I'd like to know, then, is: will it cause issues to have insecure content included inside an iframe, placed on a secure page , and if so what sort of problems would they be?
Ideally if it's not a good idea (and I have a strong feeling that it isn't) I need to be able to explain this to the client.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
如果您的页面是 http,那么它允许带有 https 内容的 iframe。
但如果您的页面是 https,则它不允许 http 内容。
让我们列出以下可能性。
If your page is http then it allows iframe with https content.
But if your page is https then it does not allow http content.
Lets put down following possibilities.
如果使用
https://www.example.com/main/index.jsp(SSL) 访问您的页面,那么您的浏览器将抱怨“此页面包含安全和不安全的项目”(如果有)是 HTML 代码中通过http://(非 SSL)引用的任何资源。这包括 iframe。如果您的导航页面托管在同一服务器上,那么您可以使用这样的相对 URL 来防止“不安全内容”消息...
从您的问题来看,听起来您的导航页面是由单独的主机提供的,并且您是被迫使用类似的东西,
这当然会导致浏览器中出现“不安全内容”消息。
您唯一的解决方案是
在保存导航页面的服务器上实施 SSL,以便您可以使用
https://作为 iframe 参考,或者将导航应用程序移动到同一服务器,以便您可以使用相对 URL。
就我个人而言,我不明白为什么你的导航会在不同的主机上,因为那样你就会遇到 JavaScript 跨域脚本问题(除非涉及一些时髦的 JSONP)。
If your page is being accessed using
https://www.example.com/main/index.jsp(SSL) then your browser will complain with "This page contains both secure and insecure items" if there are any resources in the HTML code that are referenced withhttp://(non-SSL). This includes iframes.If your navigation page is hosted on the same server then you can prevent the "insecure content" message by using a relative URL like this...
From your question it sounds like your navigation page is being served from a separate host and you're being forced to use something like this
which will of course cause the "insecure content" message in your browser.
Your only solutions are to either
implement SSL on the server holding your navigation page so you can use
https://for your iframe reference, ormove the navigation application to the same server so you can use a relative URL.
Personally I can't see why your navigation would be on a different host because then you're going to get JavaScript cross-domain scripting issues (unless some funky JSONP is involved).
尝试删除 src 属性值中的 http: 字符,如下所示:
这当然是一种解决方法,安全性很重要,所以不要轻率地绕过,但无论如何,这曾经让我解决了类似的问题。
Try removing the http: characters in the src attribute's value as so:
This is of course a workaround, security is important so don't bypass blithely, but anyway this once got me past a similar problem.