I’ve recently faced a problem involving passing data (small amount), from a page to an iframe.
It was simple when both pages were http – i’ve used query string to pass information to the iframe and javascript to signal the parent page of process completion.
When iframe location was changed to https, there was a problem accessing the parent by javascript, because https and http are considered different domains – it was solved by using a redirect in the iframe to an ordinary page and invoking javascript from there.
It worked fine, both on IE and FF, yet upon testing a peculiar behavior was discovered.
Only in IE, in a scenario when a user visited a page in https domain, went to the http page, and worked with the iframe, after the redirect the script still was unable to run, giving a cryptic exception – TypeError: Access is denied.
I didn’t find a way to check the current location of the iframe from the parent page, and the only solution i can see is a crude hack involving ajax polling from the parent http apge.
Despite my advices on changing the page design, or using https on both sides – i still have to find a solution – since other sites, apparently, succeed working this way. I couldn’t copy this behavior using Firebug, because those sites don’t work with FF, and i couldn’t get any results.
I’d like to hear suggestions on solving this problem, but if it’s not feasible, I’d like to know this for sure.
Last year on the CCC congres 25C3 there was a presentation about security issues on web pages, and there was a very clear message: don’t mix http and https on the same page, that provides an unacceptable risk of man-in-the-middle attacks.
A user has no way to know which part of the page is http and which is https. Combining both on the same page is malpractice, and should be treated as such.
The videos are here