iframe HTTP over https
Application Type
Service Studio Version
11.6.6 (Build 4873)

Hi All,

I have an issue regarding insecure mix content. my source is using http and not able to change to https due to complicate over many code changes required to other system.

so my issue is I'm trying load the internal site that is using http in an iframe running on my new reactive application that is running on https. The internal site is unable to load due to security reason. 

I have checked that the environment security setting CSP is not turn at all. I also have tried to set the CORS and also X-Frame-options to allow the site that I'm, but seems like none of them take effect on the changes. 

Need some expert advise on how show i fix my situation.


Hi Chanz,

I was able to tackle this issue by adding a "*" (or the domain I want to allow in my iFrame) for Frame-ancestors, and upgrade-insecure-requests for Other Directives, with some help of this post.

However, even after doing that, the page you want to load in the iFrame might still give the following error:

In that case, there is nothing you can do because the source itself has disallowed loading of the resource in an iframe outside of their domain. If it's an OutSystems page and have access to the environment, you can change the configuration to allow X-Framing in other origins, though.

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.