As an example, lets say I'm working with a product that requires I put <iframe>
s onto my page, which then get embedded into my existing website.
The issue being my website is SSL, and the iframe comes from another origin which is not SSL.
I'm not worried about javascript here as the other origin cannot access the DOM due to same-origin, but my huge concern here is that annoying "mixed content" error in IE that pops up, or the broken lock in other browsers, etc. If a user doesn't know to click "no," they don't get the content-- which is critical to the website.
What I want to do instead is provide a way to take this content and scoop it into my own script so it sends to the browser from my domain with my SSL certificate, for all resources it links to (ie, recursively parse the file and send the resources as my own). I realize this could open a huge hole because it's now coming from my origin.
What recommended approach should I take to get third party content to land on my site? Right now the content I'm pulling is the base HTML file, the CSS, and 9 images, all of which are dynamic. This is simmilar to a proxy I suppose.
What I want to do instead is provide a way to take this content and scoop it into my own script so it sends to the browser from my domain with my SSL certificate, for all resources it links to (ie, recursively parse the file and send the resources as my own). I realize this could open a huge hole because it's now coming from my origin.
Get a separate domain (mydomain.com
-> thirdpartyname.mydomain-proxy.com
) to serve as an HTTPS proxy for third-party content. That way they cannot run JavaScript in the same origin as your website.
Alternatively: Pressure them to adopt HTTPS. It's fast and it's free.