Mixed Content Page

The unencrypted HTTP content on the secured web pages could be accessed by hackers as well as could be modified by Man-in-the-Middle (MITM) attackers, which results in unsecured connection. This behavior of web pages is called a mixed content page.

因为工作中突然遇到了,就简单看了一下这些内容。希望能够起到抛砖引玉的效果。

在下面的链接中:
https://segmentfault.com/q/1010000005872734,博主引出了两个问题:

1. HTTPS页面里动态的引入HTTP资源,比如引入一个js文件,会被直接block掉的
2. 在HTTPS页面里通过AJAX的方式请求HTTP资源,也会被直接block掉的。

下面是具体的错误提示:

Mixed Content: The page at 'https://url_1' was loaded over HTTPS, 
but requested an insecure script 'http://monitor_analytic.js'. 
This request has been blocked; the content must be served over HTTPS.

提出的解决办法:

方法1:相对协议。
对于同时支持HTTPS和HTTP的资源,引用的时候要把引用资源的URL里的协议头去掉,
浏览器会自动根据当前是HTTPS还是HTTP来给资源URL补上协议头的,可以达到无缝切换。

下面是回答中有人给出的解决办法:http://thehackernews.com

The search engine giant recommended you to enable it via an HTTP response header,
"Content-Security-Policy: upgrade-insecure-requests," if all the content is controlled by you.

However, if the unsecure resources are served from a web server you don’t control, you can include the 
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests"> tag in your page's <head>.

对于https协议下访问http的图片链接,chrome浏览器并没有block,而是提出了警告。但是并不是所有手机的webkit浏览器都支持这样的警告,很多手机可能还是会直接block,造成图片没有办法显示。

 Mixed Content: The page at 'https://url_1' was loaded over HTTPS, but requested an insecure image
 'http://762961797.jpg'. This content should also be served over HTTPS.

总结:对于mixed content page that the connection is only partially encrypted. 为了在http转https的过程中顺利过渡,mixed content page页面是非常糟糕的选择。

如果觉得有用,请关注我的公众号,谢谢大家!


萌牛爱分享

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值