Display IFrame from the same domain under SSL
I am trying to wrap the login section of our page in an iframe that was created with SSL and display it across multiple pages on our website (sort of like a login widget).
However, I keep getting an error on the page displaying an iframe indicating that:
Refused to display in frame because it set "X-Frame-Options" to "SAMEORIGIN".
The login widget and the web pages I want to display on it are hosted on the same domain, is this a problem?
I have searched around and nothing seems to be able to avoid this problem. Anyone have a solution to this problem?
<iframe sandbox="allow-same-origin allow-forms allow-scripts" src="https://<sitename>/loginiframewidget.aspx"></iframe>
At the moment this is what I have in my web.config
<httpProtocol>
<customHeaders>
<add name="access-control-allow-headers" value="content-type" />
<!--<add name="Access-Control-Allow-Origin" value="*" />-->
<add name="Content-Security-Policy" value="frame-ancestors 'self' mysite.com.au"/>
<add name="X-Frame-Options" value="ALLOWALL"/>
</customHeaders>
</httpProtocol>
And the titles displayed in Chrome Dev Tools on the page are as follows:
source to share
There are security issues in this situation.
First, you cannot be sure that the content of the unencrypted page was not modified in transit and that the src of the iframe was specified elsewhere.
Second, even if the user is logged in with SSL, their session ID in the cookie is sent in a clear manner and is easily spoofed.
Are you considering running an entire website in SSL? Servers these days handle this better than you think and you don't need iframes anymore.
source to share
Try setting the frame-ancestors Content-Security-Policy directive and X-Frame-Option header for older versions of IE.
http://caniuse.com/#feat=contentsecuritypolicy
You can add them via IIS or add them to your web.config file:
<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="frame-ancestors 'self' mywebsite.com" />
<add name="X-Frame-Options" value="ALLOW-FROM http://mywebsite.com" />
</customHeaders>
</httpProtocol>
...
</system.webServer>
The headers should now be sent to the browser:
source to share
No big money No, you just can't do it, you can't access SSL resources on a page without SSL, and is your client ready to expose everything on the internet? Resolution of frame parameters still won't work because the browser won't let you cross SSL boundaries.
HTTP is not completely secure, so the reason is that every site on google is now under SSL, because non-SSL content can be modified by ISPs and firewalls, in fact ISPs, firewalls and other routers are constantly injecting scripts into the page to track traffic.
Explain to your customer that today, starting an authenticated session without HTTPS is equivalent to locking the doors of the house, but all the windows are open.
With persistence, SSL negotiations by any means only happen once and performance is very low, you can improve site speed by pushing the CDN to CloudFront or any other CDN using your SSL subdomain.
OAuth - but recommended anyway over SSL
You can implement your own OAuth provider and use it to distribute OAuth tokens that can be used for server side validation on your website. Your site can use secondary tokens issued by the OAuth provider to authenticate the user, and you can redirect users to an OAuth Provider that can run under SSL. Thus, you can allow users to do limited insecure things under authentication on non-SSL pages. Just like you can use Facebook / Google login etc. On sites without SSL.
source to share