碼上快樂

相關內容    簡體    繁體

This content should also be served over HTTPS

本文轉載自   查看原文   2019-10-08 11:52   948    HttpServer

HTTPS 是 HTTP over Secure Socket Layer,以安全為目標的 HTTP 通道,所以在 HTTPS 承載的頁面上不允許出現 http 請求,一旦出現就是提示或報錯:

Mixed Content: The page at 'https://domain.com/w/a?id=074ac65d-70db-422d-a6d6-a534b0f410a4' was loaded over HTTPS, but requested an insecure image 'http://img.domain.com/images/2016/5/3/2016/058c5085-21b0-4b1d-bb64-23a119905c84_cf0d97ab-bbdf-4e25-bc5b-868bdfb581df.jpg'. This content should also be served over HTTPS.

很多運營對 https 沒有技術概念,在填入的數據中不免出現 http 的資源,出現疏忽和漏洞也是不可避免的。

解決辦法一:CSP設置upgrade-insecure-requests

W3C工作組考慮到了我們升級HTTPS的艱難,在2015年4月份就出了一個Upgrade Insecure Requests 的草案(http://www.w3.org/TR/mixed-content/),他的作用就是讓瀏覽器自動升級請求。
在我們服務器的響應頭中加入:

server { ... add_header Content-Security-Policy upgrade-insecure-requests; ... }

我們的頁面是 https 的,而這個頁面中包含了大量的 http 資源(圖片、iframe等),頁面一旦發現存在上述響應頭,會在加載 http 資源時自動替換成 https 請求。

方法二、
頁面中加入 meta 頭:

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests" />

目前支持這個設置的還只有 chrome 43.0,不過我相信,CSP 將成為未來 web 前端安全大力關注和使用的內容。而 upgrade-insecure-requests 草案也會很快進入 RFC 模式。


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 This content should also be served over HTTPS he content must be served over HTTPS 解決方案 This request has been blocked; the content must be served over HTTPS the content must be served over HTTPS 解決方案 Mixed Content: xxx This request has been blocked; the content must be served over HTTPS. 【Https異常】This request has been blocked; the content must be served over HTTPS https下 http的會被阻塞 This request has been blocked; the content must be served over HTTPS. This request has been blocked; the content must be served over HTTPS.處理方案 網頁中嵌入百度地圖報錯:The request has been blocked,the content must served over Https 在普通網頁顯示正常,加Https報This request has been blocked; the content must be served over HTTPS.,https網站加載http資源時,http資源被block
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM