Problem
I load some HTML into an iframe but when a file referenced is using http, not https, I get the following error:
Is there a way to disable this or go around it?
The iframe doesn’t have a src attribute, hence the contents are determined by:
frame.open();
frame.write(html);
frame.close();
Asked by georgephillips
Solution #1
The best solution I came up with was to use Google as an SSL proxy…
https://www.google.com/search?q=%http://yourhttpsite.com&btnI=Im+Feeling+Lucky
Firefox has been tested and found to be functional.
Other Methods:
Unless you can persuade the owner of the http site to create a ssl certificate, the best secure and long-term answer is to establish an RSS feed that grabs the stuff you need (assuming you aren’t actually ‘doing’ anything on the http site, such as signing in to any system).
The fundamental problem is that using http parts on a https site is a security risk. Because there are no entirely kosher techniques to avoid this security risk, the foregoing are only temporary solutions.
Most browsers allow you to turn off this security feature (yourself, not for others). Also, keep in mind that these ‘hacks’ may become obsolete in the future.
Answered by Matthew Peters
Solution #2
Based on the broad nature of this query, I believe you’ll need to set up your own HTTPS proxy on a web server. Follow the instructions below:
If you simply download remote site content via file_get_contents or similiar, you can still have insecure links to content. You’ll need to use regex to find them and then replace them. Images are hard to solve, but Ï found workaround here: http://foundationphp.com/tutorials/image_proxy.php
Answered by panpernicek
Solution #3
I realize this is an old post, but another option is to use cURL, such as:
redirect.php:
<?php
if (isset($_GET['url'])) {
$url = $_GET['url'];
$ch = curl_init();
$timeout = 5;
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
$data = curl_exec($ch);
curl_close($ch);
echo $data;
}
then put something like this in your iframe tag:
<iframe src="/redirect.php?url=http://www.example.com/"></iframe>
This is just a SMALL example to demonstrate the concept; it doesn’t sanitize the URL, and it won’t stop someone else from using redirect.php for their own purposes. Think about these ideas in terms of your own website.
The upside, though, is it’s more flexible. For example, you could add some validation of the curl’d $data to make sure it’s really what you want before displaying it — for example, test to make sure it’s not a 404, and have alternate content of your own ready if it is.
Plus, I’m hesitant to rely on Javascript redirection for anything significant.
Cheers!
Answered by David R.
Solution #4
http-equiv======================== “Content-Security-Policy” content=”upgrade-insecure-requests”> “Content-Security-Policy” content=”upgrade-insecure-requests”> in the mind
Answered by user2523022
Solution #5
When trying to show non-secure material on a https page, most browsers will always give you a warning about banned content. If you wish to embed content from other sites that aren’t secured with SSL, this can be difficult. You can turn off the warnings or remove the blocking in your own browser but for other visitors it’s a problem.
One method is to load the material from the server, store the photos and other assets to your server, and then display them via https.
You might also try utilizing a service like embed.ly to obtain the content. They have the ability to put material behind https.
Answered by Addeladde
Post is based on https://stackoverflow.com/questions/18327314/how-to-allow-http-content-within-an-iframe-on-a-https-site