混和內容

當使用者以 HTTPS 瀏覽網站時,他們與伺服器之間的連線就會以 TLS 加密,以防受到竊聽或中間人攻擊。

如果以 HTTPS 傳輸的頁面含有以 HTTP 傳輸的明文內容,則這個連線就只有部分加密:也就是說,未加密的內容就有可能被竊聽或是被中間人修改,連線也就不安全了。當網站發生這樣的情況時,我們說這個頁面含有混和內容

網頁主控台

自 Firefox 16 開始,網頁主控台就會顯示網頁含有混和內容的警告。以 HTTP 傳輸的混和內容來源會顯示為紅色,後面會附上導往這一頁的「混和內容」訊息。

Screen shot of the web console displaying a mixed content warning.

如果你想要修正這個錯誤,你就應該以 HTTPS 取代 HTTP 來傳輸內容。常見的混和內容包含 JavaScript 的 .js 檔、CSS 樣式表的 .css 檔、影像檔、影片檔或是其他多媒體文件。

自 Firefox 23 開始,混和的主動內容預設會被擋掉,混和的被動內容也可以調整設定來決定是否該阻擋。為了讓網頁開發者更容易發現混和內容錯誤,所有被擋下來的混和內容要求都會顯示在網頁主控台的安全性窗格之中。

A screenshot of blocked mixed content errors in the Security Pane of the Web Console

混和內容的類型

There are two categories for mixed content: Mixed Passive/Display Content and Mixed Active Content. The difference lies in the threat level of the worst case scenario if content is rewritten as part of a Man-In-The-Middle attack. In the case of passive content, the threat is low (webpage appears broken or with misleading content). In the case of active content, the threat can lead to phishing, sensitive data disclosure, redirection to malicious sites, etc.

混和的被動內容

Mixed Passive/Display Content is content served over HTTP that is included in an HTTPS webpage, but that cannot alter other portions of the webpage. For example, an attacker could replace an image served over HTTP with an inappropriate image or message to the user. The attacker could also infer information about the user's activities by watching which images are served to the user; often images are only served on a specific page within a website. If the attacker observes HTTP requests to certain images, he could determine which webpage the user is visiting.

被動內容清單

這些 HTTP 要求會被視為被動內容:

  • <audio> (src attribute)
  • <img> (src attribute)
  • <video> (src attribute)
  • <object> subresources (when an <object> performs HTTP requests)

混和的主動內容

Mixed Active Content is content that has access to all or parts of the Document Object Model of the HTTPS page. This type of mixed content can alter the behavior of the HTTPS page and potentially steal sensitive data from the user. Hence, in addition to the risks described for Mixed Display Content above, Mixed Active Content is vulnerable to a few other attack vectors.

In the Mixed Active Content case, a man-in-the-middle attacker can intercept the request for the HTTP content. The attacker can also rewrite the response to include malicious JavaScript code. Malicious active content can steal the user's credentials, acquire sensitive data about the user, or attempt to install malware on the user's system (by leveraging vulnerabilities in the browser or its plugins, for example).

The risk involved with mixed content does depend on the type of website the user is visiting and how sensitive the data exposed to that site may be. The webpage may have public data visible to the world or private data visible only when authenticated. If the webpage is public and has no sensitive data about the user, using Mixed Active Content still provides the attacker with the opportunity to redirect the user to other HTTP pages and steal HTTP cookies from those sites.

主動內容清單

這些 HTTP 要求會被視為主動內容:

你還可以參考這些資料

 

文件標籤與貢獻者

 此頁面的貢獻者: a780201, wildsky, Asheesh
 最近更新: a780201,