![webappsec logo](/images/webappsec-logo.png)
WebApp Sec mailing list archives
Re: Secure iFrames
From: Tim Brown <tmb () 65535 com>
Date: Tue, 4 Nov 2014 18:53:23 +0000
On Tuesday 04 November 2014 01:43:45 Dave Pyper wrote:
From a high-level, your design should start with the HTTP-served index.html page that redirects to an HTTPS-served index2.html that calls the remote HTTPS-served iFrame-embedded page(s). There are details that will be specific to your implementation, like protocol restrictions on index (HTTP-only) and index2 (HTTPS-only) files, and so forth that I won't go into. But for the sake of old-school simplicity, that's the model I recommend and use.
So what happens if someone MiTMs the redirect>? If Telnet is no longer acceptable, why is HTTP? Tim -- Tim Brown <mailto:tmb () 65535 com>
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- Secure iFrames NightShade (Nov 03)
- Re: Secure iFrames Dave Pyper (Nov 03)
- Re: Secure iFrames Tim Brown (Nov 05)
- Re: Secure iFrames David Ford (Nov 05)
- Re: Secure iFrames David Ford (Nov 05)
- Re: Secure iFrames Dave Pyper (Nov 03)