How to allow http content within an iframe on an https site

web-development

content-security-policy

https-proxy

iframe-security

byAnton Shumikhin·Jan 23, 2025

You can embed HTTP content in an HTTPS page using a reverse proxy. The trick is to set up the proxy in a way that it serves HTTP requests over HTTPS, and then utilize it as the source in your iframe, as shown below:

<!-- Meet your new bouncer, Mr. Reverse Proxy -->
<iframe src="https://secure-proxy.example.com/"></iframe>

Ensure the proxy is equipped to handle SSL encryption and fetch HTTP content efficiently.

If an upgrade of the external HTTP content is beyond your influence, it could be worth their while for the content provider to seriously consider transitioning to HTTPS. Not only will this ease the embedding process but it can greatly enhance site security and SEO.

Wield the HTTPS power: secure techniques for HTTP embedding

While complete transition of web content to HTTPS remains the ultimate security solution, there are steps you can take to safely include HTTP content when this transition isn't immediately available:

HTTPS Adoption Advocacy

Take swift action by engaging directly with the HTTP content owners. Persuade them to embrace HTTPS; it enhances their web security, strengthens SEO positioning and fosters smooth embedding of content without compromising security on your site.

Leverage an HTTPS Proxy

As a viable alternative, employ an HTTPS proxy to summon HTTP content. Services like embed.ly come in handy for embedding widely recognized HTTP APIs. It's important, of course, to ensure that any proxy used adheres to essential security guidelines.

Employ Content-Security-Policy Header

Employ the Content-Security-Policy HTTP header incorporated with the upgrade-insecure-requests directive to commit all navigable content requests to HTTPS.

<!-- This will give HTTP links an "HTTPS makeover" -->
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

Deploy JavaScript Redirects

For more dynamic conditions or in instances where proxies are not an option, a JavaScript redirect on a relative link can lead to the HTTP content from an HTTPS site.

Let's get secure: Ensuring content security and integrity

Dealing with HTTP content on an HTTPS site calls for due diligence and a keen eye for best security practices to safeguard your and your users' data.

Validate and Sanitize Data

When your iframe manages dynamic HTTP content, opt for rigorous validation and sanitize data to keep XSS attacks at bay. Frameworks designed explicitly for sanitization will be fruitful.

Fetch Content with cURL and Sanitization

If you're keen on programmatically obtaining HTTP content, couple cURL with URL sanitization tools. Always adhere to the best data validation practices.

Secure Proxy Set-up

Using SSL certificates such as those freely afford by Let's Encrypt can be beneficial. When configuring the proxy, set it to serve only the content that you have inspected to minimize risk.

Disabling Security Measures – Approach with Caution

Though it's possible to adjust browser settings to permit HTTP content on HTTPS sites, such an approach should be discouraged. Deactivating security features can expose users to potential risks. Use this methodology only on a temporary, personal basis, or for testing purposes, and with the full understanding of potential threats.

Navigating browser restrictions: the ifs, the buts, and the why nots

Browsers are progressively clenching their grip on HTTP content on HTTPS pages primarily due to security risks. Below are some of the most common restrictions and a guide on how to navigate through them:

Enter: The Content Security Policy

The majority of modern browsers have mixed content blocking enabled by default. Setting up the Content-Security-Policy headers can help you circumvent this.

Meet the X-Frame Options Header

This header translates to the browser whether it's safe to load content within an iframe. If you're serving from your own domain, ensure this is set properly.

Compati-what?

Check the compatibility report for various headers like upgrade-insecure-requests on platforms like caniuse.com. This will give you a sense of which browsers will heed these commands.

The browser sandbox - establishing boundaries

Leverage the sandbox attribute embedded in your iframe tag for added security whilst displaying external content.

<!-- Putting the 'safe' in 'sandbox' -->
<iframe sandbox src="https://secure-proxy.example.com/"></iframe>

The attribute allows you to specify permissions such as allow-forms or allow-scripts providing a balance of functionability and isolation from your main website.

Adapting to evolving security standards

Security standards are fluid and constantly evolving, and staying in tune with the latest practices safeguards your site:

Watch out for security headers and their updates, keeping up-to-date with best practices.
Regularly look out for updates on browser security directives in relation to iframes.
Adhere to Content Security Policies to dictate different sources and prevent mixed content issues.

explain-codes / Web development / How to allow http content within an iframe on an https site

Linked

Are iframes considered 'bad practice'?



Get IFrame's document, from JavaScript in main document



Show YouTube video source into HTML5 video tag?



What is the difference between srcdoc="..." and src="data:text/html,..." in an ?



Get DOM content of cross-domain iframe

