使用“代理”在HTTPS站点中显示HTTP内容

Question

I have an https web application in which we display external content in iframes (totally customizable by the user)

Since mixed content is blocked by many browsers I do the following for HTTP content:
An iframe links to my own JSP and sends the requested url as a parameter. The JSP then creates an input stream with the url and returns the response.

BufferedReader reader = null;
URL url;
String strUrl = (String) request.getParameter("url");
try {
    url = new URL(strUrl);
    reader = new BufferedReader(new InputStreamReader(url.openStream(), "UTF-8"));

    for (String line; (line = reader.readLine()) != null;) {
        out.println(line);
    }
} catch (Exception e) {
    log.warn("Error on URL " + strUrl);
} finally {
    if (reader != null)
        try {
            reader.close();
        } catch (IOException ignore) {
        }
}

This works very well.
The question is:
Can someone explain what are the security concerns here, is this something I would want to do? (I can technically say that only HTTPS urls are supported...).

Thanks!

Answer 1

Yes, this is certainly a security concern. What you've created is called an ' open redirect ' and it's used in phishing attacks.

An attackers can abuse the trust your users have in your website (communication signed and encrypted with your SSL certificate) to redirect them to a malicious site.

Even though, they may not be able to control the usage of this JSP on your website, they can use it in an email or website comment. See this question for more information.

You can solve this problem by maintaining the list of sites you want to convert from HTTP to HTTPS at the server side and refer to them by index or keyword, like:

https://myserver/proxy.jsp?url=site1