Geek Answers Handbook

Allow HTTP iFrame to call JavaScript on the parent HTTPS frame

I have a https page ( https://example.com/main.php ) that has an iframe with a source without https ( http://example.com/inner.php ). Both files are on the same server - only one of them is accessible using https, and the other is not. I need a page without https in order to be able to run javascript on an https page main.phpusing code likeparent.myfunction()

However, when I try to do this, I get the following error:

Insecure JavaScript is trying to access the frame with the URL https://example.com/main.php from the frame with the URL http://example.com/inner.php . Domains, protocols, and ports must be consistent.

I installed document.domain = 'example.com'for both files, and I thought it would fix, but it is not. Is there a way to allow the frame to execute javascripts on the parent frame and vice versa? If so, what are the security implications of this?

PS: For those of you who suggest using https or http for both pages, I study this. However, due to the processes occurring on the iframe page, this may not be an option due to server loading problems.

+5
source share
3 answers

A "policy of the same origin" covers the protocol ("http" or "https"), the host name and port number. All must match or you lose.

<iframe>, , , . . , , , front-end, SSL .

+5

- , , -, SSL, .

. , , , Paypal.com. , , Paypal . Paypal, , : https://paypal.com , , http://my.paypal.com ', . HTTPS , Paypal. HTTP Javascript , HTTPS, , !

, .

+4

You cannot use cross-domain / cross-protocol / cross-port access using JavaScript. This is called cross domain scripting, which is a problem because without this protection, I could open GMail in an iframe, get the text fields “u” and “p” and get that kind of login information.

What you put in your PS is the only real solution that you can use besides using the echo server ... which will be redundant.

0
source

More articles:


All Articles