|
Home > Archive > IIS Server Security > April 2007 > Adding SSL to a framed website
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Adding SSL to a framed website
|
|
|
| Hi all,
I have two websites (www.site1.com and www.site2.com) running on IIS on two
different machines. One of the pages on site1 uses frames, and the main
frame contains a page from site2. I wish to enable SSL on both sites, but am
concerned that when the frames-page on site1 is accessed the browser will
complain that for the frames-embedded content the URL in the address bar
(www.site1.com) does not match the certificate (which will be from site2).
Is this the case, or will the content from site2 be displayed OK?
Thanks
steve
| |
| Daniel Crichton 2007-04-20, 7:19 am |
| steve wrote on Thu, 19 Apr 2007 15:12:37 GMT:
> Hi all,
>
> I have two websites (www.site1.com and www.site2.com) running on IIS on
> two different machines. One of the pages on site1 uses frames, and the
> main frame contains a page from site2. I wish to enable SSL on both sites,
> but am concerned that when the frames-page on site1 is accessed the
> browser will complain that for the frames-embedded content the URL in the
> address bar (www.site1.com) does not match the certificate (which will be
> from site2). Is this the case, or will the content from site2 be displayed
> OK?
I've tested using my own SSL sites with IE7 and FF2, and both are happy with
it.
Dan
| |
| David Wang 2007-04-20, 7:19 am |
| The browser won't complain if you enable SSL correctly on site2. The
reason is because the browser does NOT compare the URL in the address
bar against site2's certificate. It compares the URL that causes it to
make the SSL request (i.e. when the user clicks on the site2 link
located in the site1 frame to make a SSL request to site2) against the
certificate that comes back from negotiating that SSL request (i.e.
the server certificate returned by accessing site2).
In a non-frames situation, the URL in the address bar is a decent
approximation of the URL you clicked on to make the SSL request (not
100% correct because there can be redirections and forward-proxying
scenarios), so one may *think* that the browser compares the URL in
the address bar against the resulting SSL server certificate , but it
is not the case.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On Apr 19, 8:12 am, "steve" <s...@nospamtoday.thanks> wrote:
> Hi all,
>
> I have two websites (www.site1.comandwww.site2.com) running on IIS on two
> different machines. One of the pages on site1 uses frames, and the main
> frame contains a page from site2. I wish to enable SSL on both sites, but am
> concerned that when the frames-page on site1 is accessed the browser will
> complain that for the frames-embedded content the URL in the address bar
> (www.site1.com) does not match the certificate (which will be from site2).
> Is this the case, or will the content from site2 be displayed OK?
>
> Thanks
> steve
| |
|
| "David Wang" <w3.4you@gmail.com> wrote in message
news:1177061511.777495.233100@b75g2000hsg.googlegroups.com...[vbcol=seagreen]
> The browser won't complain if you enable SSL correctly on site2. The
> reason is because the browser does NOT compare the URL in the address
> bar against site2's certificate. It compares the URL that causes it to
> make the SSL request (i.e. when the user clicks on the site2 link
> located in the site1 frame to make a SSL request to site2) against the
> certificate that comes back from negotiating that SSL request (i.e.
> the server certificate returned by accessing site2).
>
> In a non-frames situation, the URL in the address bar is a decent
> approximation of the URL you clicked on to make the SSL request (not
> 100% correct because there can be redirections and forward-proxying
> scenarios), so one may *think* that the browser compares the URL in
> the address bar against the resulting SSL server certificate , but it
> is not the case.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
> On Apr 19, 8:12 am, "steve" <s...@nospamtoday.thanks> wrote:
Thanks to both of you for your replies - it's much appreciated!
steve
| |
| hordenador 2007-04-28, 7:18 am |
|
"steve" <steve@nospamtoday.thanks> escribió en el mensaje
news:EFLVh.363681$Wg6.353306@fe07.news.easynews.com...
> Hi all,
>
> I have two websites (www.site1.com and www.site2.com) running on IIS on
> two different machines. One of the pages on site1 uses frames, and the
> main frame contains a page from site2. I wish to enable SSL on both sites,
> but am concerned that when the frames-page on site1 is accessed the
> browser will complain that for the frames-embedded content the URL in the
> address bar (www.site1.com) does not match the certificate (which will be
> from site2). Is this the case, or will the content from site2 be displayed
> OK?
>
> Thanks
> steve
>
>
|
|
|
|
|