1. 技术文章
  2. iframe blocked as insecure content, even though the iframe is HTTPS

iframe blocked as insecure content, even though the iframe is HTTPS

ぃ、小莉子 提交于 2020-02-04 04:00:24

问题


I am trying to embed an iframe (containing shellinabox, if that's relevant) onto an HTTPS webpage. The HTML I'm using to embed the iframe is pretty straightforward:

<div class="jumbotron" style="min-height: 400px;">

    <iframe src="https://example.com/shellinabox" style="border:none; min-height: 400px;" width="100%"></iframe>
</div>

However, Chrome blocks the iframe from loading because it is "insecure content," and I have to manually unblock it for it to work. The Chrome console reports an error like this:

Mixed Content: The page at 'https://example.com/mainpage/' was loaded over HTTPS, but requested an insecure resource 'http://example.com/shellinabox/'. This request has been blocked; the content must be served over HTTPS.

I am confused by this because clearly my HTML code is embedding the HTTPS version of example.com/shellinabox. Moreover, when I visit https://example.com/shellinabox directly, the lock icon is green, nothing is blocked, and there are no indications of any SSL problems on that page.

I also tested this in Firefox, IE, and MS edge, and they all have the same behavior (so it's not a Chrome-specific issue). What gives?


回答1:


This is an old question but I encountered the same issue. My use case is slighty different to yours, but hopefully this helps.

For me, my route on my python flask server ended with the "/" character. In my iframe, I was calling the route without the slash at the end of the src and was seeing the same error. Adding a slash to the src in the iframe did the trick for me.

<iframe src="https://example.com/shellinabox/" style="border:none; min-height: 400px;" width="100%"></iframe>

I'm not exactly sure why the missing slash on the end the src attribute would cause this error. If anyone can explain why, I'll gladly update my answer.




回答2:


your code is loading the page over https but that page is then probably trying to load additional scripts or assets over http. or it may have scripts in the page that are making ajax requests over http. youll have to examine the page and look in the developer console to see exactly what the insecure requests are. it's probably not an issue with how you are creating the iframe element.



来源:https://stackoverflow.com/questions/35042344/iframe-blocked-as-insecure-content-even-though-the-iframe-is-https

标签
html
iframe
https
mixed-content
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!