The foundation of the browser's security model is the same-origin policy, which protects web sites from one another. A full details example is given step by step in this tutorial: Security in Depth: Local Web Pages
In short,
If a web page comes from your local file system rather than from the Internet? Consider the following hypothetical attack if your browser did not limit the power of local pages:
- You receive an email message from an attacker containing a web page as an attachment, which you download.
- You open the now-local web page in your browser.
- The local web page creates an
<iframe>whose source ishttps://mail.google.com/mail/.- Because you are logged in to Gmail, the frame loads the messages in your inbox.
- The local web page reads the contents of the frame by using JavaScript to access
frames[0].document.documentElement.innerHTML. (An Internet web page would not be able to perform this step because it would come from a non-Gmail origin; the same-origin policy would cause the read to fail.)- The local web page places the contents of your inbox into a
<textarea>and submits the data via a form POST to the attacker's web server. Now the attacker has your inbox, which may be useful for spamming or identify theft.There is nothing Gmail can do to defend itself from this attack. Accordingly, browsers prevent it by making various steps in the above scenario difficult or impossible.
LocalLinks Addon uses NEW TAB to open iframe local file:
Allows opening file:// links on pages loaded by http(s):// schemeThe security model of Chrome prevents/blocks the user from being able to open file:// links when the user selects (left clicks) the link, or selects to open them in a new window (middle click). Loading this extension will allow you follow file:// links when you explicitly select them (left click/middle click). The HTML elements it will follow are ones like<a href="file://server/share/file.txt">or<a href="file://c:/localdiskfile.txt">.NOTE: It can't load images (like<img src="file://..." />)!To open a link in the same tab, use the left mouse button.To open a link in a new background tab, use the middle mouse button.This extension is modeled after the LocalLink add-on for Firefox.CHANGES in this version: + Respect target = "_blank" attribute on left clickFull changelog see on http://code.google.com/p/locallinks/wiki/CHANGELOG
There is also another 2 types of security problem.
- to call an iframe with https from your http server.
- to call an iframe with http from your https server.
Mozilla Foundation has given a great details here: https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
Same Origin policy from
The same-origin policy restricts how a document or script loaded from one origin can interact with a resource from another origin. It is a critical security mechanism for isolating potentially malicious documents.
Definition of an origin
Two pages have the same origin if the protocol, port (if one is specified), and host are the same for both pages. The following table gives examples of origin comparisons to the URL
http://store.company.com/dir/page.html:--------------------------------------------------------------------------------
URL | Outcome | Reason |
--------------------------------------------------------------------------------
http://store.company.com/dir2/other.html | Success | |
--------------------------------------------------------------------------------
http://store.company.com/dir/inner/another.html | Success | |
--------------------------------------------------------------------------------
https://store.company.com/secure.html | Failure | Different protocol|
--------------------------------------------------------------------------------
http://store.company.com:81/dir/etc.html | Failure | Different port |
--------------------------------------------------------------------------------
http://news.company.com/dir/other.html | Failure | Different host |
--------------------------------------------------------------------------------Why you should not mix http and https when using iframes?
How it works?
- If the protocol of your page is http than use a http page inside the iframe.
- If the protocol of your page is https than use a https page inside the iframe.
But why should you not do this?
1. https with http iframe
Lets start with the one you should not do: Your page is https and your iframe page is http. This scenario is called "Mixed Active Content" and is blocked by more and more browsers.
I have found a nice description from the developer from Firefox about this topic:https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/
There you e.g find the following: Firefox and Internet Explorer consider frames Mixed Active Content, while Chrome considers frames Mixed Passive Content. This means that Firefox and Internet Explorer block iframes while Chrome does not (yet).
2. http with https iframe
The other way is including an iframe with a https page into a http page.
This is the way you can do but is not recommended (see below why)! If you really have no other way please try if it is working on all major browsers. I already had users with side effects when it comes to cookies or session handling!
The next section is from HTTP and HTTPS iframe:
It is generally bad practice to embed an iframe with content served over HTTPS within a page served over plain HTTP (or mix content). The reason for this is that there's no good way for the user to check they're using the HTTPS site they intend (unless the user really wants to check the source of the page).
An attacker could very well replace the content you serve like this:
<iframe src="https://your.legitimate.example/loginframe" width="300" height="150">
with:
<pre><iframe src="https://rogue.site.example/badloginframe"></iframe>
or even:
<iframe src="http://rogue.site.example/badloginframe"></iframe>
This is very hard to detect for the user, and defeats the security measure you're trying to put in place by enabling login via HTTPS.
So I hope you now don't mix content anymore ;).
IF YOU STILL REALLY WANT TO DO THIS: The external workaround is by default NOT working in this setup as the Javascript is than loaded from an http domain which is blocked! So to get this working you need to
- Enable "Use post message for communication" on the "External workaround" tab.
- Copy the generated ai_external.js to a https domain and include it from there! Remember to copy the ai_external.js each time you change something with the "save" icon in the administration.
For more, you can go through this link: https://stackoverflow.com/a/25189561/2293534
Resource Link: https://stackoverflow.com/a/40481890/2293534
No comments:
Post a Comment