Reputation: 1191
HSTS in iFrame src
I'm building an app that needs to serve websites in an iframe. Since the websites are decided by the user, they usually enter only the domain name, like google.com, or facebook.com. To render the website in an iframe i need to add http:// to this (I can't add https://, since the website may not be served over ssl which will cause it to not render at all.)
For this reason, I am forced to not use ssl on my website, since due to the mixed content policy, I can't add iframes that request http. I wish to know if there's a way to force hsts in the iframe src. For example, if I request http://example.org, the iframe will automatically render https://example.org (since it exists.)
Upvotes: 2
Views: 1317
Answers (1)
Reputation: 4821
HTTPS doesn't allow you to serve HTTP content. All content on the page must be a secure connection, including iFrame. This is browser standard so there's no work around to be had. Either your page has to be HTTP or the iFrame has to be HTTPS.
Upvotes: 1
Related Questions
- Embedded HTTPS site in iframe
- Insecure content in iframe on secure page
- Embed iFrame to HTTPS from HTTP and embed only certain parts?
- Embedding HTTP iframe in HTTPS iframe for HTTPS site?
- HTTPS iframe within an HTTP page, how can I stop that?
- How to make a page with an HTTPS iframe appear secure
- Chrome doesn't load untrusted SSL content in iframe
- HTTP iframe on HTTPS page
- HTTP iFrame blank in HTTPS page
- How to use http:// in https:// using iframe?