Security risk of embedding an https iframe in an https page with a lightbox

Please fill out the fields below so we can help you better.

My domain is: https://www.bowmanvisual.com

I ran this command:

It produced this output:

My web server is (include version): Apache 3.26.8

The operating system my web server runs on is (include version): Linux with cPanel

My hosting provider, if applicable, is: GoDaddy

I can login to a root shell on my machine (yes or no, or I don’t know): I don’t know

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel

Hi @gbowman,

Could you explain more about what your security concern is here?

Sorry, I accidentally hit “send”.

On my site, the page, https://www.bowmanvisual.com/client/tools.html has 2 lightboxes. Each contains an iframe. The links within the iframe are https links. One is to an online whiteboard. One is to a JotForms form for uploading files to Dropbox. When the page loads, I have a green lock symbol in Chrome and a simple lock in Safari. When each dropbox is loaded, the shows as “not secured.” The the green lock is replaced on Chrome by a circled “i.” The lock disappears on Safari.

I think the combination of links within a lightbox is being read as mixed content, but both my site and the links are https. How can I fix this?

Aha! Interestingly, I see different results in Firefox and Chromium. Firefox says it’s secure but Chromium says it’s insecure.

My first guess is that it’s just about these two HTTP resources:

http://www.bowmanvisual.com/favicon.ico
http://www.bowmanvisual.com/apple-touch-icon.png

Ok. These images are hosted on my site and uploaded with all of my other content. So I need to check my files to make sure all linked files are listed as https wherever they occur.

Do you see any issue with my lightbox/iframe links setup? Is this a valid or safe use of an iframe?

The iframe security issues are part of the larger topic of web application security, with which I’m unfortunately not very familiar. It’s kind of a higher layer than HTTPS and cryptography, and I haven’t studied it very much.

There can be options or headers which make the use of iframes safer in some ways, but I don’t know much about them. I would suggest consulting a book or tutorial that introduces web application security. I don’t believe that this issue is related to what’s causing the browser warning in this case; I think the browser warning that you see is all about mixed content, not frames.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.