Security concerns with an HTTPS iframe in an HTTPS page - html

Are there any security concerns when putting an HTTPS iframe in an HTTPS page? Or security wise is it essentially the same as having a single HTTPS page.
(The iframe content is coming from a different domain if that makes a difference)

There are no on-the-wire privacy implications associated with this compared with a normal HTTPS page, but bear in mind that you're doubling the number of servers and probably companies involved.
Browser exploits, popups and adware can all be served under HTTPS - and visiting a HTTPS site that isn't in your control can expose your users to privacy violations if the HTTPS URL reveals personal information about one of your users - for example if you serve https://www.example.com/redir.php?url= + CURRENT_URL and you've logged in a user using a GET postback with the username and password in the URL, you could be exposing this to third party sites.
Other than that, there are no issues associated with embedding third-party HTTPS sites into your own HTTPS pages.

Related

Chrome dev tools: displaying cookies

Visit a random site, for example example.com
Open dev tools, application -> cookies
Make sure that it's empty
Open console tab, make a fetch request to a random website, for example fetch('https://api.chucknorris.io/jokes/random')
Open application -> cookies again and notice cookies from the domain from step 4.
Many times a day I clear a website's cookies for debugging purposes. But in Chrome clearing one website's cookies affects clearing other sites' cookies as well and it clears my sessions on other websites, which is not what I want.
Is it a bug or a feature in Chrome? I think that it's a bug and cookies from other domain shouldn't be shown, but maybe I miss something.
P.S. Firefox don't show cookies from other domains.
What I have observed is that the list of URLs under the 'Cookies' entry is the page that made a request to the origin server for the cookies shown. If you look in the network traffic you can see the the URLs in the 'Cookies' list are the referer of the requests to the origin servers, whose response sets the cookie. This is a common method for tracking cookies to be set. A.com in the 'Cookies' URL list will have some page with lots of IMG or Script or iframe elements that make requests to the domains in the list of cookies and the responses from those domains set the cookies. What I found confusing is that the Chrome documentation (https://developers.google.com/web/tools/chrome-devtools/storage/cookies) refers to the list of URLs under the 'Cookies' entry as 'Origins'. They are not the cookies origin as defined in RFC 6265, they are the referer page that made the requests to the cookie origin servers.

How i can know if my web site generated cookies at the users Pc or not

We have a simple web site for our company, deployed under IIS. it contains 5 html pages with CSS, and some HTML web pages have links to other HTML pages, such as go to home page. now i want to check if my web site generated cookies at users machines or not? so can i do so? and usually does HTML web sites that do not have any login generated cookies?
Edit:
Using chrome development tools (F12) i have found the following:-
Load the development tools in your favourite web browser, then load your website.
In Chrome, the cookies will appear in the 'Application Tab' of the development tools, and under 'Storage' you will see 'Cookies.' Microsoft Edge has them in 'Debugger> Cookies'
Expand that and it will show all the cookies that have been delivered by your website.
It's possible for a 'HTML only' site to be delivering cookies, especially if you have 3rd party content.
Most of the cookies are generated on your Server Side and sent to the client.
You will have to go through your code and see whether it generates cookies.
Usually, if it's a regular HTML page, your server won't create a session for that and most likely that no cookie be sent to the client.
Otherwise, If you use .aspx pages or MVC (for example..) most likely that your server will generate Session Cookie and send it with the response to the client.
Another thing you'll have to check is whether your pages contain references to 3rd-party websites i.e includes of .css / .js files from CDNs like
Cloudflare - these CDNs usually put their own cookie in your client's browser.
And lastly, your pages might contain scripts like Google Analytics which put some cookies in your client's browser.
A HTML Page is not creating any cookies. Maybe you are mixing up Cache with Cookies? For example in PHP you have to define what shall be saved into a cookie. If you don't define any Cookie Variables, there won't be any cookies.

Does the browser (Chrome/Firefox) automatically use https even when you try to use http?

I store urls in a database for the users of my webapp and I am not sure whether I need to store whether it was a "http" or a "https" request.
If I don't store the type of the connection and just echo to the users a link with "http", will it in 100% of the cases use a "https" connection automatically (when it is possible)? I don't want to be responsible for a user not using a https connection even though it is possible.
Does the browser (Chrome/Firefox) automatically use https even when you try to use http?
No. If you tell the browser to use HTTP, then it will use HTTP.
Schemes will only be added to a URL automatically under two circumstances:
When it is a relative URL, in which case the scheme will be the same as the one used to load the current document.
When the user types the URL into the browser's address bar and omits the scheme, in which case it will default to HTTP (not HTTPS).
A web server might provide HTTP and HTTPS versions of the same URL with the HTTP version containing a redirect to the HTTPS version and the HTTPS version hosting the content.
A web server might, for that matter, not provide an HTTP version at all… but that is very uncommon.
I am not sure whether I need to store whether it was a "http" or a "https" request.
You should store the full URL. You shouldn't omit bits and hope that you can fill them in by guesswork.
It won't automatically do that, but there are ways to help out:
some users may have the "HTTPSeverywhere" extension, which will attempt to redirect to HTTPS
you can serve HSTS headers, which will make the browser automatically stick to HTTPS if the user has at least once been on HTTPS with your site
Now there are a few problems with these points:
not everyone use the extension
HSTS only works once the user was visiting the URL with HTTPS and it will only work on site with HSTS headers set up, so if links are external, this might not be the case.
That being said: Are the links you store links to your own domain or external links to any web site?

Link to http or https

While adding a hyperlink to another site (which has SSL), the site documentation sometimes say to link to the http:// link instead of the https:// (e.g. Play store, which is a site that uses SSL but it does not tell you to link to https; instead, it says to link to http). They do not matter (as they function normally), but would there be a reason to link to the http:// instead the https://?
Maybe they don't want extra encryption and lowering down the site speed as SSL may decrease performance somewhat.
If users are downloading large, public files, there may be a system burden to encrypt these each time.
Some browsers may not support SSL.
You will probably want the home page accessible via HTTP, so that users don't have to remember to type https to get to it.
Your specific portion of page needs secure http(https) not whole site.
Your site is indexed mainly on http on Search engines.

Using HTTPS for GitHub Pages in Google Chrome

I added a operation to use the microphone for my GitHub Pages hosted blog. But Chrome keeps on asking for media permissions again and again. I found out it Access Camera & Microphone in Chrome supports. The error message is:
"If you select Allow on a "http" URL your preference will not be remembered in future visits."
How do I set up or use HTTPS on GitHub Pages? Or at least how can I make Chrome remember to Allow in the preference.
Since June 2016 (three years later), GitHub pages do support https!
See "HTTPS for GitHub Pages"
GitHub Pages now officially1 supports HTTPS for all <username>.github.io sites. HTTPS provides a layer of encryption that prevents others from snooping on or tampering with traffic to your Pages site.
You can now visit *.github.io sites using HTTPS and configure HTTPS enforcement for your site.
With HTTPS enforcement enabled, any HTTP requests to your github.io site will be transparently redirected to HTTPS.
No need to adjust anything in your Chrome.
Github pages does not support https see https://help.github.com/articles/what-are-github-pages