HSTS in iFrame src - html

I'm building an app that needs to serve websites in an iframe. Since the websites are decided by the user, they usually enter only the domain name, like google.com, or facebook.com. To render the website in an iframe i need to add http:// to this (I can't add https://, since the website may not be served over ssl which will cause it to not render at all.)
For this reason, I am forced to not use ssl on my website, since due to the mixed content policy, I can't add iframes that request http. I wish to know if there's a way to force hsts in the iframe src. For example, if I request http://example.org, the iframe will automatically render https://example.org (since it exists.)

HTTPS doesn't allow you to serve HTTP content. All content on the page must be a secure connection, including iFrame. This is browser standard so there's no work around to be had. Either your page has to be HTTP or the iFrame has to be HTTPS.

Related

Odd Behavior on Image Size in HTTPS

I have been learning HTML and CSS and i am creating a WebSite there is a section where I add 3 images, and this images have an odd behavior when displaying.
when I access to the website on Samsung Internet under HTTP i get them as expected: like this
but when I access under HTTPS i get: this
I have notice that it works under HTTP and HTTPS on other browsers like chrome.
This issue is an instance of mixed content that occurs when HTML pages load over a secure HTTPS connection but link to resources (images, CSS, or JS) over an insecure HTTP connection. This is generally triggered by inputting an image within the page that runs over an HTTP connection. When you upload and post images but do not update the image links on the page after getting an SSL certification, the browsers will recognize them as insecure elements.
For your own domain, serve all content as HTTPS and fix your links. Often, the HTTPS version of the content already exists, and this just requires adding an “s” to links – http:// to https://.
For images hosted on other domains, use the site’s HTTPS version if available.
sitechecker

Does linking from an https site/page to http site triggers a security warning?

I have a secure page, with it’s full security certificate in the SSL protocol or https but when using a relative link to a non secure part of my website it forces the https protocol on it and causes all kinds of problems like the CSS styles not loading and header and footer missing. My idea is to make the link absolute, without the https. Will it trigger a security warning when clicked or will it in any way compromise the security of that page or invalidate the certificate?
No, there isn't a warning for a link to a non-secure part of your website. However, this isn't a good security practice. Once the user goes to a non-secure part, an attacker could use something like sslstrip to keep HTTPS turned off even when they try to go back to a secure part. Instead, you should make your entire site accessible over HTTPS.

Can you navigate other websites from your page using an iframe?

I am trying to make a webpage from which I can browse my social media feeds, email inbox and news sources through iframes. Is this at all possible? I have noticed that youtube and facebook for instance do not allow their sites to be displayed in an iframe. Are there any alternatives to make this work?
Thank you for taking the time to read.
If a simple isn't working then there isn't any way of doing it in Javascript either. The most likely reason for the iframe not working is because the target site is sending a header to prevent other sites iframing it:
X-Frame-Options: DENY
A lot of sites will do this to prevent a common vulnerability known as UI Redressing or Click Hijacking. Some sites will also include some frame busting Javascript as a backup security measure to the HTTP header.
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a or . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

rtmpt(e) stream on SSL Page

I'm developing audio streaming web service for PC browsers.
We want to use rtmpt(e) protocol for streaming with Flash plugin.
Main HTML page has https:// URL.
The problem is, when our SWF try to connect streaming server (via HTTP tunnelling), some browser (i.e. Chrome) shows warning on the secure icon in the URL bar:
Your connection to ???.???.com is encrypted with 128-bit
encryption. However, this page includes other resources which are not
secure. These resources can be viewed by others while in transit, and
can be modified by an attacker to change the look of the page.
and on the developer console:
The page at 'https://***.***.com/' was loaded over HTTPS, but displayed insecure content from 'http://stream.***.net/fcs/ident2': this content should also be loaded over HTTPS.
The page at 'https://***.***.com/' was loaded over HTTPS, but displayed insecure content from 'http://***.***.***.113/open/1': this content should also be loaded over HTTPS.
...
I think this is because Flash uses Browser's URL loading facility when accessing HTTP.
How can I avoid these warnings?
We don't want to use rtmp(e) because 1935 may be blocked by firewall on user environment, nor rtmps because our streaming server doesn't support it.
And We don't want to use http:// for main HTML because of requirement.
How can I avoid these warnings?
Fix the Mixed Content. Load everything over HTTPS.

What reasons could an iframe have for not loading?

I think the question is pretty simple: what reasons could an iframe have for not loading its content?
This came up because I have an iframe in my site's "thank you" page to track conversions. For some reason, when using dev tools in Chrome I can't find any content inside the body or head tags inside the iframe.
But if I click on the iframe's URL, the conversion is correctly activated and I see the message "Conversion logged: true".
Could there be something in my own site preventing the iframe from loading? How can I assure that the iframe will load correctly? Could using an img pixel instead solve this problem?
Because your iframe is coming from a different domain, it is possible the domain you are attempting to serve the iframe from has a security policy which prevents you from embedding it in your page.
There are two potential technologies related to this.
X-FRAME-OPTIONS HTTP header: page owners can specify that their content should not show in an iframe or only show in an iframe on the same origin (domain).
Content Security Policy (CSP): has "frame-src" (non-standard implementation in Firefox) and "frame-options" (standardized) directives. It allows setting policies for iframes similar to X-FRAME-OPTIONS.
In essence, if you're serving content from a third-party site you don't control, it's possible they may have an HTTP header or security policies in place that would prevent the iframe content from showing in your page.
More Resources:
CSP support (caniuse.com)
Other possibilities (which I think are unlikely since it worked when you loaded the page directly):
Ad-blocking browser extensions
"Do Not Track" policy
Browser extensions that block tracking tools
Tracking elements are often blocked by browser add-ons like Adblock Plus and NoScript.
For being more specific in your case, we need an example page that is demonstrating the problem.