Iframes having HTTP links are blocked by browsers when connection is HTTPS

[BorislavZlatanov]

What you did: Visit a page that has an iframe embedded. You have to visit it under an HTTPS connection.

What happened: The content in the iframe does not open.

What you expected to happen: The content in the iframe should open.

[BorislavZlatanov]

Investigation showed that when you visit the site's page under HTTPS and when the iframe has an HTTP link, the browser blocks the content in the iframe. The little shield which browsers use to tell you that they blocked content on the page has to be clicked and then you can see the content from the iframe. Note: When the link in the iframe is HTTPS, there is no problem.

Possible solutions:

• Use iframes with HTTPS links only.
• Set up a redirect in apache for the pages which are known to have an iframe with an HTTP link. For example, https://www.example.com can redirect to http://www.example.com. Then the iframe that has an HTTP link would not be blocked. This solution, however, would be very inconvenient as all those links would need to be entered manually.
• Inform users that they have to allow the "unsafe" content to open from the little shield icon in the browser.

[LTIOfficial]

Should the two sites in the example above be reversed, where http redirects to https?

If I'm not mistaken, htaccess files are able to handle RegEx expressions. Is there a way to wildcard sites within a redirect, so that any http URL would auto-redirect to https?

[BorislavZlatanov]

No, HTTPS should redirect to HTTP. Let me try to make a clearer example:

https://members.lti.org/iframe-page is a page in the site which has an iframe embedded in it. The link in the iframe is http://www.google.com. Because the iframe's link is HTTP, whereas the connection to https://members.lti.org/iframe-page is HTTPS, browsers block the content coming from the iframe.

The above idea about the redirection is that if the page https://members.lti.org/iframe-page redirects to http://members.lti.org/iframe-page, then the content loaded in the iframe would not be blocked.

Yes, the rules of the redirect work with regex. For the regex to work, it has to match against a common pattern in the URL. Now that I think about it, it might work if all pages which have an iframe, and that iframe has an HTTP link, have some common pattern in their alias. For example, if a page has an iframe with the link http://www.google.com, that page's alias can be something like /google-httpiframe (then the link to the page would be https://members.lti.org/google-httpiframe). Then the redirect rule would match against the httpiframe part of the URL and would automatically redirect to the same URL but this time with HTTP in front. I haven't tested it, but I think it could work.