How to allow http content within an iframe on a https site

后端 未结 10 1309
我寻月下人不归
我寻月下人不归 2020-11-22 14:06

I load some HTML into an iframe but when a file referenced is using http, not https, I get the following error:

[blocked] The page at {current_pagenam

相关标签:
10条回答
  • 2020-11-22 14:30

    You could try scraping whatever you need with PHP or another server side language, then put the iframe to the scraped content. Here's an example with PHP:

    scrapedcontent.php:

    <?php
    $homepage = file_get_contents('http://www.example.com/');
    echo $homepage;
    ?>
    

    index.html:

    <iframe src="scrapedcontent.php"></iframe>
    
    0 讨论(0)
  • 2020-11-22 14:31

    add <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests"> in head

    reference: http://thehackernews.com/2015/04/disable-mixed-content-warning.html

    browser compatibility: http://caniuse.com/#feat=upgradeinsecurerequests

    0 讨论(0)
  • 2020-11-22 14:32

    Based on generality of this question, I think, that you'll need to setup your own HTTPS proxy on some server online. Do the following steps:

    • Prepare your proxy server - install IIS, Apache
    • Get valid SSL certificate to avoid security errors (free from startssl.com for example)
    • Write a wrapper, which will download insecure content (how to below)
    • From your site/app get https://yourproxy.com/?page=http://insecurepage.com

    If you simply download remote site content via file_get_contents or similiar, you can still have insecure links to content. You'll have to find them with regex and also replace. Images are hard to solve, but Ï found workaround here: http://foundationphp.com/tutorials/image_proxy.php

    0 讨论(0)
  • 2020-11-22 14:35

    Try to use protocol relative links.

    Your link is http://example.com/script.js, use:

    <script src="//example.com/script.js" type="text/javascript"></script>
    

    In this way, you can leave the scheme free (do not indicate the protocol in the links) and trust that the browser uses the protocol of the embedded Web page. If your users visit the HTTP version of your Web page, the script will be loaded over http:// and if your users visit the HTTPS version of your Web site, the script will be loaded over https://.

    Seen in: https://developer.mozilla.org/es/docs/Seguridad/MixedContent/arreglar_web_con_contenido_mixto

    0 讨论(0)
提交回复
热议问题