Injected Stylesheet creates Chrome and IE Mixed-Content issue in iFrame div element. Possible Website Security Hack?

IIS 8.0
ASP.Net Website

Possible Website Security Hack?

Below injected stylesheet is seen on an SSL protected page:

.ui-resizable-s {
  z-index: 90;
  position: absolute;
  right: 0px;
  bottom: 0px;
  cursor: se-resize;
  background: url(http://i.imgur.com/WLonK99.png) no-repeat;
  width: 11px;
  height: 11px;
}

The background: url(http://i.imgur.com/WLonK99.png) no-repeat;  contains a ref to a non SSL image causing a new tab to open.
The image is on a div element that wraps around an iFrame whose src is a form hosted on a Credit Card Payment Gateway.

The style appears to be injected from jquery 1.9.1

I cannot find the offending script in any file in the site folders.
Here is a screenshot of the issue in Chrome:  http://snag.gy/9AGN2.jpg
plord1234Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hans LangerCommented:
The image does not look the be inside the iframe, so its valid.
jquery UI, add that "handler" in the bottom right for resize it.
https://jqueryui.com/resizable/
0
plord1234Author Commented:
Thanks for responding Hans.

I don't think you provided a solution, unless I misunderstand your response.

Notice that the form in the iFrame does not render fields to enter credit card data.  I believe this is a "Mixed Content" issue because the image is not coming from https:
0
Hans LangerCommented:
Well, maybe I did not understand your question. I understand that if a resources is not using the same protocol as the main page you will receive a security warning, but that should not stop a functionality
I noticed that your iframe has a src="about:blank", im not sure what are you trying.
Have you tried to insert the iframe without the popup?, like just in the body of the page?, to see if it is a popup issue or the payment page issue?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

plord1234Author Commented:
Notice that there are 2 handle images in bottom right of the popup here:  http://snag.gy/9AGN2.jpg.  The goal is to eliminate the resizable handle image with the non http:// source ( background: url(http://i.imgur.com/WLonK99.png) no-repeat).

Here is the same stage or the transaction in Firefox.  http://snag.gy/NfWdU.jpg
Notice no injected stylesheet inputting a second resize handle
0
Hans LangerCommented:
Maybe removing the resize functionality of the jquery-ui popup:

 $("#mydiv").dialog({
    modal: true,
   resizable: false,
    title: 'title'      
 }).dialog('open');

Open in new window

0
plord1234Author Commented:
Sorry Hans,

Please read the question again more carefully.  I cannot find the css to edit.   That is part of the issue.  I do not understand how the Injected Stylesheet is causing the problem.  Nor do I know where to access it and edit.

Peter
0
Hans LangerCommented:
Ok, I understand, so, can you try disabling ALL the browser plugins?.  that's the only way that I know that you can inject code into the page.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
plord1234Author Commented:
Good!

The Mixed Content issue is resolved.  Unfortunately, I still have the problem of the iFrame source opening without the form in Chrome.

Any intial ideas for seeing the form in the iFrame?  I will create a new Question.

I will give you full credit for resolving the Mixed Content issue.

Peter
0
Hans LangerCommented:
As I said, i would try to load the Iframe in the body first to discard that is a Popup issue. If it still not working, in the console query the iframe and check the frame.window.location object to see if it is pointing the page that you want.
0
plord1234Author Commented:
<< If it still not working, in the console query the iframe and check the frame.window.location object to see if it is pointing the page that you want.>>  

Is this not proved in the Firefox photo I sent?

Here is the same stage or the transaction in Firefox.  http://snag.gy/NfWdU.jpg
0
Hans LangerCommented:
Well, you just saw that your Chrome had a different behavior than your Firefox because of the plugins, settings,context, etc... Chrome use a different engine than Firefox, even if both work under the same standards there could be differences in the result. It is so hard to try inserting the iframe in the body instead the popup just to discard the possibility to have an issue with the popup?. I recommend you to try that to start finding the issue.
0
plord1234Author Commented:
OK. Thank you much.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
jQuery

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.