I'm using an iframe technology that places my html page inside of a 'landing page' hosted by our clients.
The problem in 1 situation is the page hosted by the client is HTTPS and it shows the Security Warning: Do you want to view only the webpage content that was delivered security? Yes No
I want this to be resolved... not sure what to do. We have an SSL certificate which works but that particular iframe page, when accessing via https on my local box, it shows the SSL Warning that its not valid.
Read this article for some background about mixed content. In general, you can't have a HTTP-based subframe of a HTTPS-based page; if you do, you'll encounter this warning in most browsers in some form or another (some show a notification bar, a broken lock, or other indicator).
You'll either need to change the page so that the top-level isn't HTTPS, or so that the subpage is also HTTPS and bears a valid certificate.
Related
We're working on a web application which allows the user to do some design for mobile devices. The user simply enters some url and that url is previewed inside some iframe. The problem is, our application is running on https and if the user enters a non-https address it's not displayed by the browser for obvious reasons...
So can we use some reverse-proxy configuration to overcome this issue somehow? For example we'll set the iframe url as http://myserver.com/?url=http://externalserver.com and the reverse proxy will simply return the externalserver.com content back...
Is something like this possible?
I have found a lot of information about serving http content into https websites and what to think of when doing / not doing that.
My problem is slightly different: I want to serve https content from one domain (active and passive) into another http only domain websites, but I can't find any information about browser support for that.
Example:
http://www.mydomain.com
loads scripts and images from
https://www.myotherdomain.com
I have tried this out in Chrome / Firefox and seem to not get any warnings, but wonder what the general browser support out there is. Can I expect this to work anywhere?
The reason for mixed content warnings are that when a user is browsing a page over https and it has content embedded which is accessed over http, the user would believe they are on a secure connection but not be aware of the insecure content otherwise. This could be used to trick a user into believing they are secure when actually they are not.
In your case the user would of course only see http, and not see anything to make them believe the connection is secure, this therefore would not be a security concern meaning that browsers will allow this.
The bigger question is why you may want to do this, remember you will not benefit from caching between your server and the client which would increase load on your https server. I'd be tempted to serve a copy of your files over http and only use the ones served over https for pages served over https.
I have a page on my website https://www.mydomain.com/about . It consist of a vimeo video.
We are embedding the vimeo video in a iframe on the page.
But it shows a security warning stating that "Do you want to view only the webpage content that was delivered securely ?".
Is there a way to avoid this ?
That warning means that some content on your page was served through HTTP instead of HTTPS. It tells the user that, even though the page itself was served through HTTPS, it includes content (image, stylesheets, scripts, iframes) that was not authenticated, and that such content may be subject to MITM attacks.
If you want to avoid the warning, you should set the source of the iframe to an https: URL.
I am creating a website with password-protected pages in it.
I have two type of customer: 1. normal 2. secured
For secured customers, pages would be rendered over HTTPS whereas for normal customer, pages will be rendered over HTTP.
However, pages for both types of users would be same but the content will change.
Please note, the URL for the two users should be same except HTTP/HTTPS part.
Can anyone pls suggest how to structure the application so that the same page will act as both http and https?
Also would like to know, sometimes when we browse some HTTPS page and few of the items like image are referenced over HTTP then we get a cross in Address Bar indicating that some of the resources are not over HTTPS.
How can we overcome this problem, any suggestions?
This should be fine, when the user logs in, redirect them to an https:// page. Just use the same page addresses, only the scheme (http or https) needs to change.
To avoid problems with choosing between http or https (for example in image URLs like you mention), try to use relative URLs whenever possible, instead of absolute URLs. So if you're on https://test.com/index.html and want to display an image in an images directory, use /images/test.jpg (relative) rather than https://images/test.jpg (absolute).
If you have to use absolute, you can use a scheme-relative url - for example //images/test.jpg will use HTTP if the current page is using HTTP, and HTTPS if the page is using HTTPS.
See this question and this one for more details.
I have an ssl certificate set up and when I use the https prefix google chrome puts a skull next to it and crosses out the https. Heres what the security information says:
The identify of this website has been verified by go daddy secure certification authority.
Your connection is encrypted with 128bit encryption...However, this page includes other resources which are not secure.
What am I doing wrong?
This means that you are linking to a resource (CSS, JavaScript, image, etc) on your website that does not have an SSL connection.
Check that all of your images, JavaScript, and CSS links are either relative (e.g. starting with \ or image\myimage.png, not http://www.mysite.com/images/myimage.png) or linking to an SSL site as well.
A common cause of this issue can be Google AdSense, which does not offer an SSL option for ad serving. Similar JavaScript links may also be "breaking" your SSL's "validity".
This occurs when you are using items that are not protected by your SSL cert. This could be items not under the SSL settings on your web server or if you are using items from another server entirely for example.
In chrome you can set all insecure content to be blocked to see what breaks and fix it.
OR
Use Firebug in Firefox and see if there are any files that are being grabbed with the http protocol in the net tab.