Prevent HTTP iframes on HTTPS sites
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Low
|
Aaron Wells | ||
1.10 |
Fix Released
|
Low
|
Aaron Wells | ||
1.9 |
Fix Released
|
Low
|
Aaron Wells | ||
15.04 |
Fix Released
|
Low
|
Aaron Wells |
Bug Description
We've reached a point now where Firefox, Chrome, and IE will all silently ignore an HTTP iframe on an HTTPS site.
Most iframe embed provides now provide an https or protocol-relative iframe code, but occasionally a user will still enter an http iframe, maybe from a site that isn't up to snuff yet, or copied from an older page. This leads to the unsatisfactory user experience where they've entered an iframe code, but the iframe doesn't show up at all.
We should change our safe iframe code so that it detects these HTTP iframes and rewrites them to HTTPS or protocol-relative.
This is also a bit of a security issue (mixing HTTP content on an HTTPS page) but since all modern browsers simply ban the unsafe iframe, it's a low-priority security issue.
no longer affects: | mahara/15.10 |
Patch for "master" branch: https:/ /reviews. mahara. org/4827