简体繁体 English

允许HTTP iFrame在HTTPS父框架上调用JavaScript

[英]Allowing HTTP iFrame to call JavaScript on HTTPS parent frame

原文 2010-07-26 00:14:35 6 3 javascript/ iframe/ https/ dns/ xss

I have an https page ( https://example.com/main.php ) that has an iframe with a non-https source ( http://example.com/inner.php ). 我有一个https页面（ https://example.com/main.php ），其中包含一个非https源的iframe（ http://example.com/inner.php ）。 Both files are on the same server - just one is accessed with https and the other is not. 两个文件都在同一台服务器上 - 只有一个用https访问而另一个不是。 I need the non-https page to be able to execute javascript on the https main.php page using code such as parent.myfunction() 我需要非https页面能够使用诸如parent.myfunction()代码在https main.php页面上执行javascript

However, when I try this, I get the following error: 但是，当我尝试这个时，我收到以下错误：

Unsafe JavaScript attempt to access frame with URL https://example.com/main.php from frame with url http://example.com/inner.php . 不安全的JavaScript尝试使用网址http://example.com/inner.php从网址https://example.com/main.php访问框架。 Domains, protocols and ports must match. 域，协议和端口必须匹配。

I have set document.domain = 'example.com' on both files and I thought that would fix it, however, it does not. 我已经在两个文件上设置了document.domain = 'example.com' ，我认为这会解决它，但是，它没有。 Is there any way to allow the frame to execute javascripts on the parent frame and vice-versa? 有没有办法允许框架在父框架上执行javascripts，反之亦然？ If so, what are the security implications of this? 如果是这样，这有什么安全隐患？

PS: For those of you that will suggest just using https or http for both pages, I am looking into that. PS：对于那些建议只对两个页面使用https或http的人，我正在调查。 However, due to the processes occuring in the iframe page, this might not be aa feasible option due to server load issues. 但是，由于iframe页面中发生的进程，由于服务器负载问题，这可能不是一个可行的选项。

3 个解决方案

The "Same Origin Policy" covers the protocol ("http" or "https"), the hostname, and the port number. “同源策略”包括协议（“http”或“https”），主机名和端口号。 All of those have to match or you lose. 所有这些必须匹配或你输了。

If your server load would really be affected by having to apply encryption to the <iframe> page, then I suspect you've got other, far more serious problems. 如果您的服务器负载真的会受到必须对<iframe>页面应用加密的影响，那么我怀疑您还有其他更严重的问题。 In this day and age that really shouldn't be an issue. 在这个时代，这真的不应成为一个问题。 If you've got a massively high-traffic site, then you probably should be using a front-end to do the SSL anyway. 如果你有一个大流量的网站，那么你可能应该使用前端来进行SSL。

If it were ever possible to do what you are asking to do, no SSL-secured web site would ever be safe. 如果是以往任何时候都可以做到你所要求做什么，没有SSL保护的网站将永远是安全的。

Let me describe the problem. 让我来描述一下这个问题。 Let's say a user, Alice, goes to access her account on Paypal.com. 假设用户Alice在Paypal.com上访问她的帐户。 I, Mallory, am between Paypal and Alice. 我，马洛里，我在Paypal和Alice之间。 As Alice accesses Paypal, I intercept her request and return a page containing two things: one frame with https://paypal.com , and one containing a page purporting to be ' http://my.paypal.com ', which I crafted myself. 当Alice访问Paypal时，我拦截她的请求并返回一个包含两个内容的页面：一个框架与https://paypal.com ，一个包含一个声称是' http://my.paypal.com '的页面，我精心打造自己。 The HTTPS frame validates fine because it actually came from Paypal. HTTPS框架验证正常，因为它实际上来自Paypal。 The HTTP frame contains some Javascript of my device which will reach into the HTTPS frame, and when Alice enters her password it will send it to me! HTTP框架包含我的设备的一些Javascript，它将进入HTTPS框架，当Alice输入她的密码时，它会发送给我！

So no, it's not OK to access secure content from insecure content, even on the same domain. 所以不，从不安全的内容访问安全内容是不行的，即使在同一个域上也是如此。

You can not do cross-domain/cross-protocol/cross-port access with JavaScript. 您无法使用JavaScript进行跨域/跨协议/跨端口访问。 This is known as "cross domain scripting", which is an issue since without security like this, I could open up GMail in an iframe, get the "u" and "p" textboxes, and have a user's login info like that. 这被称为“跨域脚本”，这是一个问题，因为没有这样的安全性，我可以在iframe中打开GMail，获取“u”和“p”文本框，并拥有这样的用户登录信息。

What you put in your PS is the only real solution you can use besides using an echo server... which would be overkill. 你在PS中添加的是除了使用echo服务器之外你可以使用的唯一真正的解决方案......这将是一种过度杀伤力。