WebApp Sec mailing list archives
Re: Secure iFrames
From: David Ford <david () blue-labs org>
Date: Wed, 05 Nov 2014 09:56:50 -0500
There's no need to redirect to a different index.html page, just redirect from http->https. Make all your embedded urls in the form of "//foo.bar/a/b/c.html" instead of "http[s]://foo.bar/a/b/c.html" -david On 11/03/2014 08:43 PM, Dave Pyper wrote:
From a high-level, your design should start with the HTTP-served index.html page that redirects to an HTTPS-served index2.html that calls the remote HTTPS-served iFrame-embedded page(s). There are details that will be specific to your implementation, like protocol restrictions on index (HTTP-only) and index2 (HTTPS-only) files, and so forth that I won't go into. But for the sake of old-school simplicity, that's the model I recommend and use.
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Secure iFrames NightShade (Nov 03)
- Re: Secure iFrames Dave Pyper (Nov 03)
- Re: Secure iFrames Tim Brown (Nov 05)
- Re: Secure iFrames David Ford (Nov 05)
- Re: Secure iFrames David Ford (Nov 05)
- Re: Secure iFrames Dave Pyper (Nov 03)