Develop Reference

Content security policy error while loading apex iframe

Issue: We get CSP (Content Security Policy) error with our Visualforce page integration.
The issue is that when we access this in sandbox testing, we find that our content is wrapped in an iframe, and that iframe also contains an iframe.
The outer iframe does not seem to have a URL, and so we cannot exclude it from our CSP whitelist.
apex putting the iframe dynamically inside another iframe that is not having any src, that is why we are not able to whitelist the domain that can open our site into iframe.
This is the sample parent iframe.
<iframe allow="geolocation *; microphone *; camera *" frameborder="no" height="1000px" id="0661b0000004nmw" marginheight="0" marginwidth="0" name="0661b0000004nmw" scrolling="yes" title="HelloWorld" width="100%">
<iframe src="https://example.com"> </iframe>
</iframe>
Error log from developer console of browser.
[Report Only] Refused to display 'https://example.com' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' *.salesforce.com".
Please let me know if there is a way to resolve the content security error in this case!

Local Time Code to Display on HTTPS

I recently moved to HTTPS. I am currently have a local time displayed on the site using the following code:
<iframe class="current-time" src="http://free.timeanddate.com/clock/i35r7kr2/n47/tlau/fs12/fcfff/tct/pct/ahl/th2/ts1" frameborder="0" width="54" height="14" allowTransparency="true"></iframe>
However now we are on HTTPS it does not show because its loaded from a http:// site so browsers don't display it.
Can someone advise a method of display our local time as http://free.timeanddate.com does not have an SSL certificate
ADDITON INFORMATION AS REQUESTED:
When we load the site that is now secure the place where the time was once displayed is blank and the browser indicates that some insecure content has been blocked. See https://www.reeffree.com.au/ to see a secure site - the missing part is under "Call Us Mon-Fri 7am-9pm & Sat-Sun 8.30am-7pm Brisbane, Australia (AEST). At ReefFree it's currently " that can be found on the right top of the page below the slider.
To see what it looked like before see the following link: http://www.extremefree.com.au/
Using this website you can see that it is the date and time script that is stated above that is causing the issue - I need to replace it with one with HTTPS: https://www.whynopadlock.com

The free service you're using supports HTTPS. Simply go back to http://www.timeanddate.com/clocks/free.html and when you get to the "Get HTML" step, choose "Secure Web Page" This will generate an <iframe src="https://... Note the URL is https instead of http

Google Analytics with HTTPS protocol with mod_pagespeed

I've used the following information to get mod_pagespeed to inject the GA scripts into my pages:
https://developers.google.com/speed/pagespeed/module/filter-insert-ga
Unfortunately we have a reverse proxy setup where the browser requests the page over HTTPS but the server injects the content as HTTP.
Here is the Chrome browser error:
[blocked] The page at 'https://*' was loaded over HTTPS, but ran
insecure content from 'http://www.google-analytics.com/ga.js': this
content should also be loaded over HTTPS.
I need this module to use the correct protocol when injecting the script i.e. https:// www.google-analytics.com/ga.js (Sorry for the broken URL I can't post more than 2 links)

We don't have an answer yet, but you can track progress of this bug here: https://code.google.com/p/modpagespeed/issues/detail?id=877

You are going to run into this issue a lot. Try fixing the proxy/server so it correctly identifies the end-user connection as SSL. Most Load Balancers inject a header and have an apache mod to read the header for you.

load Insecure content in an iframe on secured page(or ssl ) https:// in asp.net

I have a iframe in asp.net page.
The page is secured page (ie., https://www.abcd.com)
I have a button in this page. Onclick of this button we have to display an iframe, inthat iframe display a video from an http:// url (it is actually an another url in internet).
Currently we have tried with the url : http://xyx.com/v.aspx?4343
<iframe width="320" scrolling="no" height="240" frameborder="0" framespacing="0" marginwidth="0" marginheight="0" border="0" allowtransparency="true" style="BACKGROUND-COLOR: transparent;" src="http://xyx.com/v.aspx?4343">
This is giving an error :
Blocked loading mixed active content - http://xyx.com/v.aspx?4343
Can somebody advise how can I load this url in my secured page?
Have tried with the url //xyx.com/v.aspx?4343, however we are getting resource not found 404 error.
please advise..

In short, you cannot serve a cross origin insecure iframe when you're hosting a SSL encrypted application. In order to serve iframe content, both the host application and remote applications will have to use SSL encryption or both the host and remote applications will have to use un-encrypted requests.
You can find a more detailed answer at Stack Overflow Question 9280665

HTTP iframe on HTTPS page

I have a simple question, but can't find the answer that I'm looking for.
Is a http iframe that's loaded on a secure https page also secured?

A iframe with http source will not be displayed on a https website as it's considered mixed content and browsers like Chrome will block the content with the following message:
Mixed Content: The page at 'your website' was loaded over HTTPS,
but requested an insecure resource 'iframe http source '. This
request has been blocked; the content must be served over HTTPS.
So far I have not seen a solution to allow mixed content.
There has been a solution for Firefox which is based on redirecting the iframe source via another website that is hosted on the HTTPS Domain.

It is not automatically, you should verify if the src of your iframe is connecting via https or not:
<iframe src="http://www.example.com"></iframe>
your iframe doesn't extend the https access from principal page.