Coder Perfect

How to allow http content within an iframe on a https site [duplicate]


I load some HTML into an iframe but when a file referenced is using http, not https, I get the following error:

Is there a way to disable this or go around it?

The iframe doesn’t have a src attribute, hence the contents are determined by:;

Asked by georgephillips

Solution #1

The best solution I came up with was to use Google as an SSL proxy…

Firefox has been tested and found to be functional.

Other Methods:

Unless you can persuade the owner of the http site to create a ssl certificate, the best secure and long-term answer is to establish an RSS feed that grabs the stuff you need (assuming you aren’t actually ‘doing’ anything on the http site, such as signing in to any system).

The fundamental problem is that using http parts on a https site is a security risk. Because there are no entirely kosher techniques to avoid this security risk, the foregoing are only temporary solutions.

Most browsers allow you to turn off this security feature (yourself, not for others). Also, keep in mind that these ‘hacks’ may become obsolete in the future.

Answered by Matthew Peters

Solution #2

Based on the broad nature of this query, I believe you’ll need to set up your own HTTPS proxy on a web server. Follow the instructions below:

If you simply download remote site content via file_get_contents or similiar, you can still have insecure links to content. You’ll need to use regex to find them and then replace them. Images are hard to solve, but Ï found workaround here:

Answered by panpernicek

Solution #3

I realize this is an old post, but another option is to use cURL, such as:


if (isset($_GET['url'])) {
    $url = $_GET['url'];
    $ch = curl_init();
    $timeout = 5;
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
    $data = curl_exec($ch);
    echo $data;

then put something like this in your iframe tag:

<iframe src="/redirect.php?url="></iframe>

This is just a SMALL example to demonstrate the concept; it doesn’t sanitize the URL, and it won’t stop someone else from using redirect.php for their own purposes. Think about these ideas in terms of your own website.

The upside, though, is it’s more flexible. For example, you could add some validation of the curl’d $data to make sure it’s really what you want before displaying it — for example, test to make sure it’s not a 404, and have alternate content of your own ready if it is.

Plus, I’m hesitant to rely on Javascript redirection for anything significant.


Answered by David R.

Solution #4

http-equiv======================== “Content-Security-Policy” content=”upgrade-insecure-requests”> “Content-Security-Policy” content=”upgrade-insecure-requests”> in the mind

Answered by user2523022

Solution #5

When trying to show non-secure material on a https page, most browsers will always give you a warning about banned content. If you wish to embed content from other sites that aren’t secured with SSL, this can be difficult. You can turn off the warnings or remove the blocking in your own browser but for other visitors it’s a problem.

One method is to load the material from the server, store the photos and other assets to your server, and then display them via https.

You might also try utilizing a service like to obtain the content. They have the ability to put material behind https.

Answered by Addeladde

Post is based on