1

How can an IFRAME with URL https://domain/ access the DOM of the parent frame which has URL http://domain/ (HTTPS calls HTTP)?

Both frames will cooperate. The domain is the same in both frames, just the protocol is different. Setting document.domain is not allowed as that would allow for XSS attacks coming from other untrusted frames.

As an alternative to accessing the DOM it would be enough to send a message (containing a single integer). Notice, that the postMessage API only works in IE8+. I need IE6+.

Improve this question

1 Answer 1

Reset to default
1

Is easyXDM an option. It supports postMessage for browsers with support, and falls back to other mechanisms for older browsers. Some of the mechanisms are a bit hacky but they work.

But why do you want to have a secure iframe on an insecure page?

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

The outer frame being HTTP is a given for us but it is trusted by us. The iframe being HTTPS is because the user can post sensitive data. I'll look into easyXDM, thanks.
Still, if you are on an open wireless or similar, an attacker can inject data into the http page (see for instance sslstrip) and reduce the security of the site.
Good point but the iframe's server makes sure it is only being called over HTTPS.
Attacker changes the iframe's src location to http:/ /evil.com/proxy?url=https:/ /real/location Because the victim does not see the url of the iframe in the URL bar, nothings seems wrong. The contents show as expected as well, only they are not genuine.
Nice attack ;-) Ok that would work but we don't care about that attack. At this point, security is secondary (with the exception that the iframe uses HTTPS to cover the most likely attack scenarios).
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.