2

In the administration of advanced iframe I came across following:

"Please do not use a different protocol for the iframe: Do not mix HTTP and HTTPS if possible!".

Please explain the below points.

  • If the protocol of my page is HTTP than use an HTTP page inside the iframe.
  • If the protocol of my page is HTTPS than use an HTTPS page inside the iframe.
Heena Vora
  • 121
  • 4
  • 1
    I'm not sure what you are asking: in the title asks for "why we should not mix" while in the body you ask "what does this mean" - while already answering this part. See also [Specific risks of embedding an HTTPS iframe in an HTTP page](https://security.stackexchange.com/questions/38317/specific-risks-of-embedding-an-https-iframe-in-an-http-page). – Steffen Ullrich Feb 27 '20 at 07:26
  • There is even a demo here: https://www.tinywebgallery.com/blog/iframe-do-not-mix-http-and-https – jwilleke Feb 28 '20 at 08:34

1 Answers1

2

[HTTP on HTTPS]By mixing http with https you'll endup with mixed content in your site(in websites) hence the green code in your site that indicates your site is secure will be replaced with a site-is-insecure for that specific page that contains a http call.

Its insecure because generally you'll be serving content on a secure protocol via an insecure tunnel(info on that page can be accessed via a HTTP link) . Anyone with a little know how of how things work on the web can easily intercept the data and even maybe rewrite it for his/her/its own benefits. Imagine if for example Google was serving its services via HTTP, think of how many phishing grounds that would create(hackers trying to get sensitive data), users would no longer be able to know which is the actual secure site and they would end up loosing if not all at least a third of its customers.

Stevemats
  • 29
  • 4
  • Welcome to the site! Could you elaborate on *why* it is insecure? That the status changes from secure to insecure when you mix content is probably clear to anyone who has tried this. – Luc Feb 27 '20 at 13:14
  • Additionally, if you attempt to call insecure sites within an iframe, where the iframe is on a secure page, web browsers often will not permit the pages to load. – Jeff Clayton Feb 28 '20 at 14:45