Display IFrame from same domain under SSL

Question

I am trying to wrap a login section of our page in an iframe which has been created with SSL and display it on several pages across our companies website (kind of like a login widget).

However I keep getting an error on the page rendering the iframe indicating that:

Refused to display in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.`

The login widget and webpages that I want to display it on are hosted under the same domain, is this an issue?

I have searched around and nothing seems to be able to avoid this problem. Does anyone have a solution to this issue?

<iframe sandbox="allow-same-origin allow-forms allow-scripts" src="https://<sitename>/loginiframewidget.aspx"></iframe>

At the moment these are what I have in my web.config

<httpProtocol>
  <customHeaders>
    <add name="access-control-allow-headers" value="content-type" />
    <!--<add name="Access-Control-Allow-Origin" value="*" />-->
    <add name="Content-Security-Policy" value="frame-ancestors 'self' mysite.com.au"/>
    <add name="X-Frame-Options" value="ALLOWALL"/>
  </customHeaders>
</httpProtocol>

And the headers that appear in Chrome Dev Tools on the page are:

Answer 1

There are security issues with this implementation anyway.

The first is that you can't be sure the content of the unencrypted page hasn't been altered on transmission and has pointed the src of the iframe elsewhere.

The second is that even if a user logs in with SSL, their session ID in the cookie is being sent in the clear and is easy to spoof.

Would you consider running the entire site in SSL? These days servers cope with this better than you'd think, and you wouldn't need iframes any more.

Answer 2

Try setting the frame-ancestors directive of the Content-Security-Policy header, and the X-Frame-Option header for older versions of IE.

http://caniuse.com/#feat=contentsecuritypolicy

You can add these through IIS, or add them into your web.config file:

<system.webServer>
  ...    
  <httpProtocol>
    <customHeaders>
      <add name="Content-Security-Policy" value="frame-ancestors 'self' mywebsite.com" />
      <add name="X-Frame-Options" value="ALLOW-FROM http://mywebsite.com" />
    </customHeaders>
  </httpProtocol>    
  ...
</system.webServer>

The headers should now be sent down to the browser:

Answer 3

No means big No, you just can't do it, you can't access SSL resources on non SSL page, and is your client willing to expose everything on internet? Allowing frame options will still not work because browser will not allow you to cross SSL boundaries.

HTTP is not at all secure, this is the reason, every site in google is now under SSL, because non SSL content can be altered by ISPs and Firewalls, in fact ISPs, Firewalls and other routers are continuously injecting scripts on page to monitor traffic.

Explain your client that today running an authenticated session under non HTTPS is equivalent to locking doors of home but leaving all windows open !!!.

With keep alive, SSL negotiation any way happens only once and performance is very negligible, you can improve site speed by outsourcing CDN to CloudFront or any other CDN with their subdomain SSL.

OAuth - But Recommended only under SSL anyway

You can implement your own OAuth Provider and use it to distribute OAuth tokens that can be used to validate in your website at server side. Your site can use secondary tokens issued by OAuth provider to validate user and you can redirect users to OAuth Provider which can run under SSL. This way, you can allow users to do limited non secure things under authentication on non SSL pages. Just like how you can use Facebook/Google login etc under non SSL sites as well.