I have read about the inverse of SF. To start I know this is bad and less than optimal. But here is the situation. I assume my thinking on this is flawed and wanted to know if I am right or wrong here.
I have users authenticating to a webapp that is controlled by the shared hosting provider. It is not secured; it comes over plain HTTP on 80. I do have control to my own secure services on 443 with a proper cert on my domain. I created a subdirectory (it is not a wildcard cert), that is just a full page iframe that goes to the auth page of that shared hosting service. My rationale for loading a HTTP frame over a HTTPS connection is that is loaded securely through the tunnel and runs around my server on their internal network instead of public internet. In theory that is not as bad. Is that even a remotely safe assumption?
This is not a permanent thing, but I need some kludge in place until I can shift gears and get rid of this.
The contents of
IFRAMEelements are not served by the same server (i.e. it's not a proxy). The browser will go directly to the location specified for theIFRAMEto load the content. You are not securing the subpage in any way by loading it inside anIFRAMEon an HTTPS page.Modern browsers such as Google Chrome and Mozilla Firefox complain about something called "mixed content", which is basically when a website is served partially in HTTPS, so you're gonna have a bad time executing what you're proposing.
Instead, on your own server, create a location and serve that content through a reverse proxy. It is more secure to your users and you'll provide them a better experience.
Best regards.
Not quite sure if get get what your doing but I guess how it works will depend on the client browser and how it reacts to having unsecured pages on a secured page.
Different browsers react differently.