>I understand that - but assuming that's not an option - HTTP only on the injected code - is there >another wayto do this? Not necessarily through a plain iframe - are there any javascript, encoding >tricks, etc that would cause the browser not to recognize the mixed content?
I think you're talking about two different things. The browser's response is to the protocol that the content is coming from, but you're talking about using the content itself to modify that response. The problem is that the content doesn't arrive until AFTER the browser checks the protocol & prompts the user. At least that's my understanding. If you can only inject into an iframe then I think you're only option is going to be to serve the page from an HTTPS server. >From a different perspective, what user doesn't already click ok when they see those warning boxes? From a test perspective, it may be even more telling to show that the exploit was successful regardless of browser warnings. In other words you can't expect the users to protect themselves. _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
