在网页上混合安全和非安全内容 - 这是一个好主意吗?
我正在尝试想出一些方法来加速我的安全网站。 由于需要加载大量 CSS 图像,因此可能会降低站点速度,因为安全资源不会被浏览器缓存到磁盘,并且必须比实际需要的频率更频繁地检索。
我正在考虑的一件事可能是将基于样式的图像和 javascript 库移动到非安全子域,以便浏览器可以缓存这些不会造成安全风险的资源(渐变并不完全是敏感材料)。
我想看看其他人对做这样的事情有什么想法。 这是一个可行的想法,还是我应该以其他方式优化我的网站,例如使用 CSS sprite-maps 等来减少请求和带宽?
I'm trying to come up with ways to speed up my secure web site. Because there are a lot of CSS images that need to be loaded, it can slow down the site since secure resources are not cached to disk by the browser and must be retrieved more often than they really need to.
One thing I was considering is perhaps moving style-based images and javascript libraries to a non-secure sub-domain so that the browser could cache these resources that don't pose a security risk (a gradient isn't exactly sensitive material).
I wanted to see what other people thought about doing something like this. Is this a feasible idea or should I go about optimizing my site in other ways like using CSS sprite-maps, etc. to reduce requests and bandwidth?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
这根本不可取。 浏览器给您带来安全页面上不安全内容的麻烦的原因是它暴露了有关当前会话的信息,并使您容易受到中间人攻击。 我承认,如果唯一不安全的内容是图像,那么第三方可能无法做太多事情来嗅探重要信息,但 CSS 可以通过行为文件 (IE) 包含对 javascript/vbscript 的引用。 如果您的 JavaScript 服务不安全,则无法采取任何措施来防止 rouge 脚本在不适当的时间抓取您的网页。
充其量,您也许能够找到一种使用 iframe 安全内容的方法来保持外观和感觉。 作为一名消费者,我真的不喜欢它,但作为一名网络开发人员,由于没有其他实用的选择,我之前不得不这样做。 但是,坦率地说,即使不是更多,也存在同样多的缺陷,因为毕竟,您希望某些内容不会违反不安全内容的完整性,以便它可以托管安全内容,而不是某些替代内容。
从安全角度来看,这并不是一个好主意。
This is not advisable at all. The reason browsers give you such trouble about insecure content on secure pages is it exposes information about the current session and leaves you vulnerable to man-in-the-middle attacks. I'll grant there probably isn't much a 3rd party could do to sniff venerable info if the only insecured content is images, but CSS can contain reference to javascript/vbscript via behavior files (IE). If your javascript is served insecurely, there isn't much that can be done to prevent a rouge script scraping your webpage at an inopportune time.
At best, you might be able to get a way with iframing secure content to keep the look and feel. As a consumer I really don't like it, but as a web developer I've had to do that before due to no other pragmatic options. But, frankly, there's just as many if not more defects with that, too, as after all, you're hoping that something doesn't violate the integrity of the insecure content so that it may host the secure content and not some alternate content.
It's just not a great idea from a security perspective.
浏览器(尤其是 IE)对此感到不安,并提醒用户页面上存在混合内容。 我们进行了尝试,并有几个用户打电话来质疑我们网站的安全性。 我不会推荐它。 让用户在使用您的网站时失去安全感并不值得增加速度。
Browsers (especially IE) get jumpy about this and alert users that there's mixed content on the page. We tried it and had a couple of users call in to question the security of our site. I wouldn't recommend it. Having users lose their sense of security when using your site is not worth the added speed.
不要混合内容,没有什么比必须点击该对话框上的“是”按钮更烦人的了。 我希望 IE 能让我始终选择显示混合内容网站。 正如克里斯所说,不要这样做。
如果你想优化你的网站,有很多方法,如果 SSL 是唯一的方法,购买硬件加速器....嗯,如果你使用 http 加载图像,如果你使用 https 加载图像,它会被缓存吗? 只是一个我需要去了解的附带问题。
Do not mix content, there is nothing more annoying then having to go and click the yes button on that dialog. I wish IE would let me always select show mixed content sites. As Chris said don't do it.
If you want to optimize your site, there are plenty of ways, if SSL is the only way left buy a hardware accelerator....hmmm if you load an image using http will it be cached if you load it with https? Just a side question that I need to go find out.
请注意,在 IE 7 中,在同一页面上混合安全和非安全项目会出现问题,因此这可能会导致某些用户无法正确查看页面的所有内容。 并不是说我支持 IE 7,但最近我不得不研究这个问题,而且处理起来很痛苦。
Be aware that in IE 7 there are issues with mixing secure and non-secure items on the same page, so this may result in some users not being able to view all the content of your pages properly. Not that I endorse IE 7, but recently I had to look into this issue, and it's a pain to deal with.