问题描述

我正在为客户开发应用程序，该客户端将拥有SSL证书并在https下提供服务。但是，要与现有网站集成，他们希望在iframe中提供导航。

I'm in the in the process of developing an application for a client, which will have an SSL certificate and be served under https. However, to integrate with their existing site they want to provide their navigation inside an iframe.

我可以看到这会造成麻烦，因为我希望浏览器会抱怨页面上安全和不安全内容的混合。我在这里看过类似的问题，他们似乎都反过来引用了这一点（iframe中的安全内容）。

I can see this causing trouble, as I'd expect the browser to complain about the mix of secure and insecure content on the page. I've had a look at similar questions on here and they all seem to refer to this the other way round (secure content in the iframe).

我是什么那么，我想知道：它会导致问题是将不安全的内容包含在iframe中，放在安全页面上，如果是这样，它们会出现什么样的问题？

What I'd like to know, then, is: will it cause issues to have insecure content included inside an iframe, placed on a secure page , and if so what sort of problems would they be?

理想情况下，如果这不是一个好主意（并且我有强烈的感觉，它不是）我需要能够向客户解释这一点。

Ideally if it's not a good idea (and I have a strong feeling that it isn't) I need to be able to explain this to the client.

推荐答案

如果使用 https://www.example.com/main/index.jsp访问您的页面（SSL）如果HTML代码中有任何资源引用 http：// （非SSL）。这包括iframe。

If your page is being accessed using https://www.example.com/main/index.jsp (SSL) then your browser will complain with "This page contains both secure and insecure items" if there are any resources in the HTML code that are referenced with http:// (non-SSL). This includes iframes.

如果您的导航页面托管在同一台服务器上，那么您可以使用这样的相对URL阻止不安全内容消息...

If your navigation page is hosted on the same server then you can prevent the "insecure content" message by using a relative URL like this...

<iframe src="/app/navigation.jsp" />

从您的问题来看，您的导航页面似乎是从一个单独的主机提供的，而您正在被迫使用类似的东西

From your question it sounds like your navigation page is being served from a separate host and you're being forced to use something like this

<iframe src="http://otherserver.example.com/app/navigation.jsp" />

这当然会导致浏览器中出现不安全内容消息。

which will of course cause the "insecure content" message in your browser.

您唯一的解决方案是 b



Your only solutions are to either

1. 在保存导航页面的服务器上实施SSL您可以使用 https：// 作为iframe参考，或

1. implement SSL on the server holding your navigation page so you can use https:// for your iframe reference, or

将导航应用程序移至相同的服务器，因此您可以使用相对URL。

move the navigation application to the same server so you can use a relative URL.

我个人无法理解为什么你的导航会出现在另一台主机上，因为那样你就会得到JavaScript跨域脚本问题（除非涉及一些时髦的JSONP）。

Personally I can't see why your navigation would be on a different host because then you're going to get JavaScript cross-domain scripting issues (unless some funky JSONP is involved).