Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

iframe injection question
From: NSweaney at tulsacash.com (Nathan Sweaney)
Date: Thu, 4 Jun 2009 08:09:27 -0500

I understand that - but assuming that's not an option - HTTP only on
the injected code - is there 
another wayto do this? Not necessarily through a plain iframe - are
there any javascript, encoding
tricks, etc that would cause the browser not to recognize the mixed
content?

I think you're talking about two different things.  The browser's
response is to the protocol that the content is coming from, but you're
talking about using the content itself to modify that response. The
problem is that the content doesn't arrive until AFTER the browser
checks the protocol & prompts the user.  At least that's my
understanding.  

If you can only inject into an iframe then I think you're only option is
going to be to serve the page from an HTTPS server.  



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault