How to allow http content within an iframe on a https site

Question

I load some HTML into an iframe but when a file referenced is using http, not https, I get the following error:

[blocked] The page at {current_pagename} ran insecure content from {referenced_filename}

Is there any way to turn this off or any way to get around it?

The iframe has no src attribute and the contents are set using:

frame.open();
frame.write(html);
frame.close();

http://stackoverflow.com/questions/9280665/insecure-content-in-iframe-on-secure-page — chiliNUT, Aug 20 '13 at 05:30
made an edit. The src is not set as the content is written into the iframe — georgephillips, Aug 20 '13 at 09:36
Thanks for all the answers. Long story short is proxy the content. — georgephillips, Aug 17 '14 at 02:50
@georgephillips would you share the code for proxying the content? — Gintas_, May 05 '17 at 20:30

score 152 · Answer 1 · edited Jan 26 '18 at 08:05

152

Note: While this solution may have worked in some browsers when it was written in 2014, it no longer works. Navigating or redirecting to an HTTP URL in an iframe embedded in an HTTPS page is not permitted by modern browsers, even if the frame started out with an HTTPS URL.

The best solution I created is to simply use google as the ssl proxy...

https://www.google.com/search?q=%http://yourhttpsite.com&btnI=Im+Feeling+Lucky

Tested and works in firefox.

Other Methods:

Use a Third party such as embed.ly (but it it really only good for well known http APIs).
Create your own redirect script on an https page you control (a simple javascript redirect on a relative linked page should do the trick. Something like: (you can use any langauge/method)

https://example.com That has a iframe linking to...

https://example.com/utilities/redirect.html Which has a simple js redirect script like...

document.location.href ="http://thenonsslsite.com";
Alternatively, you could add an RSS feed or write some reader/parser to read the http site and display it within your https site.
You could/should also recommend to the http site owner that they create an ssl connection. If for no other reason than it increases seo.

Unless you can get the http site owner to create an ssl certificate, the most secure and permanent solution would be to create an RSS feed grabing the content you need (presumably you are not actually 'doing' anything on the http site -that is to say not logging in to any system).

The real issue is that having http elements inside a https site represents a security issue. There are no completely kosher ways around this security risk so the above are just current work arounds.

Note, that you can disable this security measure in most browsers (yourself, not for others). Also note that these 'hacks' may become obsolete over time.

edited Jan 26 '18 at 08:05

answered Aug 07 '14 at 18:27

Matthew Peters

1,861
2
14
16

10

Great answer, thanks. Just to let you know in chrome the JS redirect method does not work just prevents the change (as it does when you try load it normally). – georgephillips Sep 03 '14 at 01:52
1

To get the "I'm feeling lucky" forwarder method to work, see [this related answer](http://webapps.stackexchange.com/a/59216/75677). It will lead you to the first Google result, so it obviously only works only when your intended target target page is in the Google index already, and you find a query that returns it on top. – tanius Sep 06 '14 at 14:29
The I'm feeling lucky with just the API is a workaround in cases where you do not have access to write code and can only put in a uri. – Matthew Peters Sep 07 '14 at 15:37
1

@Jude, what does that link tell us? – Matthew Peters Sep 11 '14 at 14:51
1

@MatthewPeters, Good solution though. I used it with little bit modification `https://www.google.com/webhp?#q=http://www.yourhttpsite.com&btnI=I`. I suppose `btnI=Im+Feeling+Lucky` no more working. I thinks that bit was replaced by `btnI=I`. – Jude Sep 12 '14 at 06:06
10

The redirect trick seems to work in Firefox only. Chrome still denies loading the insecure content. Are there any other known workarounds? – Andreas Gohr Nov 25 '14 at 15:07
5

This is not a solution because it only works in Firefox – vrijdenker Dec 16 '14 at 13:11
2

@vrijdenker, at the time, the proxy by google worked in more browsers. Like I said, over time solutions will become obsolete as these are mere hacks. The question itself is flawed because it assumes there is a permanent solution other than 'no, it cannot be done by design.' – Matthew Peters Dec 19 '14 at 16:23
It looks like this is not enforced if the https parent is localhost regardless of the http iframe but I haven't seen this documented anywhere. This is making test results inconsistent - any way to make this always enforced? – Brad Peabody Dec 29 '14 at 20:55
49

Just wanted to signal out that the "Create your own redirect script on an https page you control" method no longer works with current versions of Chrom(e|ium) and Firefox, even using JS. – kako-nawao Feb 10 '15 at 15:39
I guess this worked when posted, but it doesn't anymore. "Refused to display 'https://www.google.es/search?q=%25http://WHATEVER&btnI=Im+Feeling+Lucky&gws_rd=cr&ei=TLhqWIf3CsH8UtL-p6gI' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN' – matteo Jan 02 '17 at 20:31
2

Using Google as the SSL proxy doesn't work for me either – Tarun Gupta Jan 05 '17 at 14:12
18

This answer is invalid to date, any other solutions – Sam Denty Feb 09 '17 at 22:15
28

The answer should have an option to be labeled as 'deprecated'. It creates confusion unless you read all the comments. – Nitin May 16 '17 at 19:44
I've added a note to the top of the post explaining what's changed. – Jan 26 '18 at 08:05
1

Abusing search engine as automatic redirector is insane and horrible idea, regardless if it works or not. – kolen Jul 03 '18 at 15:55

score 33 · Accepted Answer · answered Aug 14 '14 at 03:09

33

Based on generality of this question, I think, that you'll need to setup your own HTTPS proxy on some server online. Do the following steps:

Prepare your proxy server - install IIS, Apache
Get valid SSL certificate to avoid security errors (free from startssl.com for example)
Write a wrapper, which will download insecure content (how to below)
From your site/app get https://yourproxy.com/?page=http://insecurepage.com

If you simply download remote site content via file_get_contents or similiar, you can still have insecure links to content. You'll have to find them with regex and also replace. Images are hard to solve, but Ï found workaround here: http://foundationphp.com/tutorials/image_proxy.php

answered Aug 14 '14 at 03:09

panpernicek

657
6
11

1

This will not work, since many pages behind iframe don't want to be embedded in an iframe and thus set X-Frame-Options Header to SAMEORIGIN. Even if you are able to bypass this using the proxy, the page would try to load something like /insecurepage.css and your browser will request https://yourdomain/insecurepage.css – antidote Jul 25 '19 at 12:46
This solution worked perfectly for me. Found directions for IIS here: https://techcommunity.microsoft.com/t5/iis-support-blog/setup-iis-with-url-rewrite-as-a-reverse-proxy-for-real-world/ba-p/846222 – Rob10e Feb 05 '21 at 16:33

score 32 · Answer 3 · answered May 19 '15 at 06:10

I know this is an old post, but another solution would be to use cURL, for example:

redirect.php:

<?php
if (isset($_GET['url'])) {
    $url = $_GET['url'];
    $ch = curl_init();
    $timeout = 5;
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
    $data = curl_exec($ch);
    curl_close($ch);
    echo $data;
}

then in your iframe tag, something like:

<iframe src="/redirect.php?url=http://www.example.com/"></iframe>

This is just a MINIMAL example to illustrate the idea -- it doesn't sanitize the URL, nor would it prevent someone else using the redirect.php for their own purposes. Consider these things in the context of your own site.

The upside, though, is it's more flexible. For example, you could add some validation of the curl'd $data to make sure it's really what you want before displaying it -- for example, test to make sure it's not a 404, and have alternate content of your own ready if it is.

Plus -- I'm a little weary of relying on Javascript redirects for anything important.

Cheers!

This is pretty working, but the links inside the site are getting invalid. For example, I have a domain called `example.com` which has a SSL. I am embedding a iframe with `example.net` which has no SSL. The `example.com` has a link like `href="/path/file.html"` and while clicking it, it is opening as `https://example.com/path/file.html` instead of `http://example.net/path/file.html` — Sibidharan, Feb 15 '16 at 15:13
The link cannot be relative if you would like this to work. In other words, specify the full URL within the href. If this is dynamic there are libraries to grab each segment of the URL in Javascript as well as server side. — Anthony Mason, Jul 13 '16 at 19:55
css of the target site under iframe is broken . Please check — Jeff Bootsholz, Feb 28 '19 at 09:21

score 20 · Answer 4 · edited Jun 20 '20 at 09:12

20

add <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests"> in head

reference: http://thehackernews.com/2015/04/disable-mixed-content-warning.html

browser compatibility: http://caniuse.com/#feat=upgradeinsecurerequests

edited Jun 20 '20 at 09:12

Community

1
1

answered Jan 30 '17 at 18:41

user2523022

281
2
5

35

This solution doesn't allow you to serve http content on a https site. All this does is force http requests as https requests. If the resource doesn't exist on https you'll just get a 404 error instead. – Felix Feb 20 '17 at 21:12
1

This is actually works at least for my needs.. tested it with firefox and confirmed working. My issue is source URL isn't HTTPS compliance while my own website is using HTTPS. – Fernan Vecina Dec 14 '17 at 03:41
Working like charm in chrome Version 76.0.3809.132 (Official Build) – Mohamed Azharuddin Sep 09 '19 at 07:10
This solution chang http to https and do not add content from http site to https site. – Kashif Munir Jan 31 '21 at 16:46
1

Not working anymore. – Goran_Ilic_Ilke Mar 15 '22 at 13:13

score 9 · Answer 5 · edited Jan 02 '18 at 13:25

Using Google as the SSL proxy is not working currently,

Why?

If you opened any page from google, you will find there is a x-frame-options field in the header.

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

(Quote from MDN)

One of the solution

Below is my work around for this problem:

Upload the content to AWS S3, and it will create a https link for the resource.
Notice: set the permission to the html file for allowing everyone view it.

After that, we can using it as the src of iframe in the https websites.

Does this still work? Because I can't seem to get S3 to serve an https link ATM. — bobsbeenjamin, Feb 05 '22 at 00:30

score 8 · Answer 6 · edited May 11 '17 at 17:14

8

You will always get warnings of blocked content in most browsers when trying to display non secure content on an https page. This is tricky if you want to embed stuff from other sites that aren't behind ssl. You can turn off the warnings or remove the blocking in your own browser but for other visitors it's a problem.

One way to do it is to load the content server side and save the images and other things to your server and display them from https.

You can also try using a service like embed.ly and get the content through them. They have support for getting the content behind https.

edited May 11 '17 at 17:14

Talha Awan

4,573
4
25
40

answered Nov 02 '13 at 21:12

Addeladde

777
2
9
28

if you scrape the content and show it on your site their is Always the risk of cross site scripting. So a god solution is to scrape the content on a separate url and present the data in an iframe from that url with https. In that way you prevent crosssite scripting on your mainsite and session hijacking. – Addeladde May 13 '14 at 13:41

score 2 · Answer 7 · answered Mar 24 '14 at 18:42

2

You could try scraping whatever you need with PHP or another server side language, then put the iframe to the scraped content. Here's an example with PHP:

scrapedcontent.php:

<?php
$homepage = file_get_contents('http://www.example.com/');
echo $homepage;
?>

index.html:

<iframe src="scrapedcontent.php"></iframe>

answered Mar 24 '14 at 18:42

Grant

229
5
13

3

How will you handle images, included JS and CSS files, hyperlinks, and AJAX requests? – dotancohen May 11 '14 at 06:54
@dotancohen you're right, it isn't a perfect solution, but I think it is the best for this situation. Some sites you won't run into the problems you discussed. – Grant Jun 10 '14 at 02:57
1

This works, but its effectively double loading the content and therefore loading time as your server scrapes and then re-serves the content... – ChristoKiwi Jan 12 '15 at 00:56
Not working for me. – Goran_Ilic_Ilke Mar 17 '22 at 11:15

tanius · Answer 8 · 2019-10-12T18:28:47.210

2

Use your own HTTPS-to-HTTP reverse proxy.

If your use case is about a few, rarely changing URLs to embed into the iframe, you can simply set up a reverse proxy for this on your own server and configure it so that one https URL on your server maps to one http URL on the proxied server. Since a reverse proxy is fully serverside, the browser cannot discover that it is "only" talking to a proxy of the real website, and thus will not complain as the connection to the proxy uses SSL properly.

If for example you use Apache2 as your webserver, then see these instructions to create a reverse proxy.

edited Oct 12 '19 at 18:28

answered Sep 04 '14 at 17:51

tanius

14,003
3
51
63

1

`mitmproxy` is a debugging tool, not production proxying system. `ngrok` is tunnelling service, mostly for development servers, I don't understand how it can be useful for this. – kolen Jul 03 '18 at 15:52
@kolen It's not about the tools, it's about the idea of using a reverse proxy for this, not mentioned in the other answers yet. Changing to Apache now, which is a much more common way to do a reverse proxy. – tanius Oct 12 '19 at 18:30
This solution worked perfectly for me. Found directions for IIS here: https://techcommunity.microsoft.com/t5/iis-support-blog/setup-iis-with-url-rewrite-as-a-reverse-proxy-for-real-world/ba-p/846222 – Rob10e Feb 05 '21 at 16:31

score 0 · Answer 9 · edited Aug 17 '22 at 05:28

0

All you need to do is just use Google as a Proxy server.

https://www.google.ie/gwt/x?u=[YourHttpLink].

<iframe src="https://www.google.ie/gwt/x?u=[Your http link]"></iframe>

It worked for me.

Credits:- https://www.wikihow.com/Use-Google-As-a-Proxy

edited Aug 17 '22 at 05:28

Subhan

1,544
3
25
58

answered Mar 29 '20 at 20:20

Star TechTricks

35
5

Where you are trying to use it. – Star TechTricks May 18 '20 at 04:16
2

Doesn't work for me. And `` should be ``. – TimTIM Wong Dec 31 '21 at 05:21

score 0 · Answer 10 · answered Oct 20 '20 at 11:37

Try to use protocol relative links.

Your link is http://example.com/script.js, use:

<script src="//example.com/script.js" type="text/javascript"></script>

In this way, you can leave the scheme free (do not indicate the protocol in the links) and trust that the browser uses the protocol of the embedded Web page. If your users visit the HTTP version of your Web page, the script will be loaded over http:// and if your users visit the HTTPS version of your Web site, the script will be loaded over https://.

Seen in: https://developer.mozilla.org/es/docs/Seguridad/MixedContent/arreglar_web_con_contenido_mixto

only works if the resource is available as https. – dansch Dec 03 '20 at 18:35 — dansch, Dec 03 '20 at 18:35

How to allow http content within an iframe on a https site

10 Answers10

Why?

One of the solution

Linked

Related