WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Secure iFrames

From: David Ford <david () blue-labs org>
Date: Wed, 05 Nov 2014 09:56:50 -0500
There's no need to redirect to a different index.html page, just
redirect from http->https. Make all your embedded urls in the form of
"//foo.bar/a/b/c.html" instead of "http[s]://foo.bar/a/b/c.html"

-david

On 11/03/2014 08:43 PM, Dave Pyper wrote:

From a high-level, your design should start with the HTTP-served index.html page that redirects to an HTTPS-served 
index2.html that calls the remote HTTPS-served iFrame-embedded page(s). There are details that will be specific to 
your implementation, like protocol restrictions on index (HTTP-only) and index2 (HTTPS-only) files, and so forth that 
I won't go into. But for the sake of old-school simplicity, that's the model I recommend and use. 






This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: