We're looking for a user researcher to understand the needs of developers and designers. Is this you or someone you know? Check out the post: https://mzl.la/2IGzdXS

CSP: upgrade-insecure-requests

这篇翻译不完整。请帮忙从英语翻译这篇文章

 

HTTP Content-Security-Policy (CSP) upgrade-insecure-requests指令指示客户端将该站点的所有不安全URL(通过HTTP提供的URL)视为已被替换为安全URL(通过HTTPS提供的URL)。该指令适用于需要重写大量不安全的旧版URL的网站。

upgrade-insecure-requests指令在 block-all-mixed-content 之前被执行,如果其被设置,后者实际上是空操作。可以设置其中一个,但不能同时设置。

The upgrade-insecure-requests directive will not ensure that users visiting your site via links on third-party sites will be upgraded to HTTPS for the top-level navigation and thus does not replace the Strict-Transport-Security (HSTS) header, which should still be set with an appropriate max-age to ensure that users are not subject to SSL stripping attacks.

Syntax

Content-Security-Policy: upgrade-insecure-requests;

Examples

// header
Content-Security-Policy: upgrade-insecure-requests;

// meta tag
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

一旦将上述头部设置在计划从HTTP迁移到HTTPS的example.com域名上, 非跳转(non-navigational)的不安全资源请求会自动升级到HTTPS(包括第当前域名以及第三方请求)。

<img src="http://example.com/image.png">
<img src="http://not-example.com/image.png">

这些URL在请求发送之前都会被改写成HTTPS,也就意味着不安全的请求都不会发送出去。注意,如果请求的资源在HTTPS情况下不可用,则该请求将失败, 其也不能回退到HTTP。

<img src="https://example.com/image.png">
<img src="https://not-example.com/image.png">

Navigational upgrades to third-party resources brings a significantly higher potential for breakage, these are not upgraded:

<a href="https://example.com/">Home</a>
<a href="http://not-example.com/">Home</a>

Finding insecure requests

通过 Content-Security-Policy-Report-Only  HTTP头部和 report-uri 指令,您可以设置执行策略和报告策略,如下所示:

Content-Security-Policy: upgrade-insecure-requests; default-src https: 
Content-Security-Policy-Report-Only: default-src https:; report-uri /endpoint

That way, you still upgrade insecure requests on your secure site, but the only monitoring policy is violated and reports insecure resources to your endpoint.

Specifications

Specification Status Comment
Upgrade Insecure Requests
upgrade-insecure-requests
Candidate Recommendation Initial definition.

Browser compatibility

FeatureChromeEdgeFirefoxInternet ExplorerOperaSafari
Basic support43 No142 No30 No
FeatureAndroid webviewChrome for AndroidEdge mobileFirefox for AndroidOpera AndroidiOS SafariSamsung Internet
Basic support4343 No4230 No4.0

1. Under consideration for future release.

See also

文档标签和贡献者

此页面的贡献者: shevacjs
最后编辑者: shevacjs,