0

Used a php redirect to serve (http) page over a (https) site. When the iframe loads the styling of the page does not show but the site displays.

PHP redirect

<?php if (isset($_GET['url'])) { $url = $_GET['url']; $ch = curl_init(); $timeout = 5; curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout); $data = curl_exec($ch); curl_close($ch); echo $data; } ?>

iFrame

<iframe src="https://sample/redirect.php?url=http://sample2/form/sampleform.aspx" style="width:100%;height:1200px;" frameborder="0" scrolling="auto" allowfullscreen></iframe>

Browser inspector displays

ReferenceError: validationSummary is not defined Loading failed for the <script> with source
Improve this question
1
  • It’s not as simple as that … you would need to modify the source of the external resources the iframe tries to load as well - if they are embedded using absolute URLs, you would need to replace http:// with https://, for the browser to not block those as mixed content, and if it’s relative URLs, then you would need to make them into absolute ones yourself, otherwise they get resolved using your site’s base address. Commented Jan 28, 2019 at 13:46

1 Answer 1

Reset to default
1

This feels like the problem is all revolving around your setup:

Used a php redirect to serve (http) page over a (https) site.

You're breaking protocol. Check the Network tab of your debugger tools. I'm willing to wager that you'll see an error about an insecure resource being called via HTTPS. ( The above message:

When the HTTP page loads, it is very likely calling up its .css file via HTTP - which is against the rules.

Update your CSS to be called over HTTPS. The problem should likely go away.

Another note, you may have a css processor ( lesscss, for example ) that is also being loaded insecurely, since it's made with .net - there are very likely script includes that are ALSO loaded insecurely. These would also cause problems with your call (Your error message: The browser isn't able to call up the error messages of the framework. Probably because the script is insecure and it can't load it because HTTPS is disallowed loading of insecure resources.)

[ Following is a workaround. I strongly suggest against this. Load the resources on the page the same as you do the page itself. It's a terrible solution, but it will work. It's a bad solution, it's bad practice, it's insecure, it's everything you should never do ... but so is skirting the system by serving up a HTTP page via HTTPS. You really should be serving things by HTTPS ; if I were asked to review that code, I'd throw it out and say "fix it."]

If you don't have access to the CSS/Scripts via HTTPS - Serve up the CSS by the PHP via modifying the code that you serve up by PHP. ( Use a pattern match or regex to replace the address of the your PHP version of the CSS, then serve the page. )

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.