plord1234
asked on
Injected Stylesheet creates Chrome and IE Mixed-Content issue in iFrame div element. Possible Website Security Hack?
IIS 8.0
ASP.Net Website
Possible Website Security Hack?
Below injected stylesheet is seen on an SSL protected page:
.ui-resizable-s {
z-index: 90;
position: absolute;
right: 0px;
bottom: 0px;
cursor: se-resize;
background: url(http://i.imgur.com/WLonK99.png) no-repeat;
width: 11px;
height: 11px;
}
The background: url(http://i.imgur.com/WLonK99.png) no-repeat; contains a ref to a non SSL image causing a new tab to open.
The image is on a div element that wraps around an iFrame whose src is a form hosted on a Credit Card Payment Gateway.
The style appears to be injected from jquery 1.9.1
I cannot find the offending script in any file in the site folders.
Here is a screenshot of the issue in Chrome: http://snag.gy/9AGN2.jpg
ASP.Net Website
Possible Website Security Hack?
Below injected stylesheet is seen on an SSL protected page:
.ui-resizable-s {
z-index: 90;
position: absolute;
right: 0px;
bottom: 0px;
cursor: se-resize;
background: url(http://i.imgur.com/WLonK99.png) no-repeat;
width: 11px;
height: 11px;
}
The background: url(http://i.imgur.com/WLonK99.png) no-repeat; contains a ref to a non SSL image causing a new tab to open.
The image is on a div element that wraps around an iFrame whose src is a form hosted on a Credit Card Payment Gateway.
The style appears to be injected from jquery 1.9.1
I cannot find the offending script in any file in the site folders.
Here is a screenshot of the issue in Chrome: http://snag.gy/9AGN2.jpg
ASKER
Thanks for responding Hans.
I don't think you provided a solution, unless I misunderstand your response.
Notice that the form in the iFrame does not render fields to enter credit card data. I believe this is a "Mixed Content" issue because the image is not coming from https:
I don't think you provided a solution, unless I misunderstand your response.
Notice that the form in the iFrame does not render fields to enter credit card data. I believe this is a "Mixed Content" issue because the image is not coming from https:
Well, maybe I did not understand your question. I understand that if a resources is not using the same protocol as the main page you will receive a security warning, but that should not stop a functionality
I noticed that your iframe has a src="about:blank", im not sure what are you trying.
Have you tried to insert the iframe without the popup?, like just in the body of the page?, to see if it is a popup issue or the payment page issue?
I noticed that your iframe has a src="about:blank", im not sure what are you trying.
Have you tried to insert the iframe without the popup?, like just in the body of the page?, to see if it is a popup issue or the payment page issue?
ASKER
Notice that there are 2 handle images in bottom right of the popup here: http://snag.gy/9AGN2.jpg. The goal is to eliminate the resizable handle image with the non http:// source ( background: url(http://i.imgur.com/WLonK99.png) no-repeat).
Here is the same stage or the transaction in Firefox. http://snag.gy/NfWdU.jpg
Notice no injected stylesheet inputting a second resize handle
Here is the same stage or the transaction in Firefox. http://snag.gy/NfWdU.jpg
Notice no injected stylesheet inputting a second resize handle
Maybe removing the resize functionality of the jquery-ui popup:
$("#mydiv").dialog({
modal: true,
resizable: false,
title: 'title'
}).dialog('open');ASKER
Sorry Hans,
Please read the question again more carefully. I cannot find the css to edit. That is part of the issue. I do not understand how the Injected Stylesheet is causing the problem. Nor do I know where to access it and edit.
Peter
Please read the question again more carefully. I cannot find the css to edit. That is part of the issue. I do not understand how the Injected Stylesheet is causing the problem. Nor do I know where to access it and edit.
Peter
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Good!
The Mixed Content issue is resolved. Unfortunately, I still have the problem of the iFrame source opening without the form in Chrome.
Any intial ideas for seeing the form in the iFrame? I will create a new Question.
I will give you full credit for resolving the Mixed Content issue.
Peter
The Mixed Content issue is resolved. Unfortunately, I still have the problem of the iFrame source opening without the form in Chrome.
Any intial ideas for seeing the form in the iFrame? I will create a new Question.
I will give you full credit for resolving the Mixed Content issue.
Peter
As I said, i would try to load the Iframe in the body first to discard that is a Popup issue. If it still not working, in the console query the iframe and check the frame.window.location object to see if it is pointing the page that you want.
ASKER
<< If it still not working, in the console query the iframe and check the frame.window.location object to see if it is pointing the page that you want.>>
Is this not proved in the Firefox photo I sent?
Here is the same stage or the transaction in Firefox. http://snag.gy/NfWdU.jpg
Is this not proved in the Firefox photo I sent?
Here is the same stage or the transaction in Firefox. http://snag.gy/NfWdU.jpg
Well, you just saw that your Chrome had a different behavior than your Firefox because of the plugins, settings,context, etc... Chrome use a different engine than Firefox, even if both work under the same standards there could be differences in the result. It is so hard to try inserting the iframe in the body instead the popup just to discard the possibility to have an issue with the popup?. I recommend you to try that to start finding the issue.
ASKER
OK. Thank you much.
jquery UI, add that "handler" in the bottom right for resize it.
https://jqueryui.com/resiz