HTTPS 和 Ajax，测试后的奇怪行为

发布于 2024-09-08 00:28:11 字数 1131 浏览 3 评论 0原文

最近我进行了一系列测试，看看 HTTPS 在不同情况下对普通请求和 Ajax 请求的表现如何。这是测试结果（我一直在使用 jQuery 进行 ajax 调用）：

当从带有 Https 的页面转到普通 Http 页面时，用户会看到一个弹出窗口吗？结果：ipod touch（从现在开始为 IPT） ) 不发出任何警告。 Chrome 也没有。 Safari 和 Firefox 会弹出一个窗口，提示您将离开安全区域。我的 Android 设备表现出与 IPT 和 Chrome 类似的行为。
当使用 ajax 进行请求时，从带有 HTTPS 的页面到带有 HTTPS 的 URL：正如预期的那样，一切正常并且不会出现弹出窗口（它们不应该出现，因为我们仍在使用加密通道）。
当使用ajax从带有HTTPS的页面向带有HTTP的URL发出请求时（因此我们正在从安全页面发出不安全的请求）：这里所有请求都会失败，这在请求完成时在javascript中可见，但它给出了一个空回复。不会以任何方式提示用户。在每个设备和每个桌面浏览器上都会获得相同的结果。这样就不可能对同一域上的不安全页面执行不安全的 Ajax 请求。
让我们尝试使用 Ajax 从 HTTPS 页面向另一个域发出 HTTP 请求。这可能存在潜在风险，因为请求可能会发送您使用非加密通道通过 HTTPS 接收的敏感数据。令人惊讶的是，这适用于每个平台，没有错误或投诉。这与最后一个结果形成对比，因为我可以向其他域发出不安全的请求，但不能向同一个域发出不安全的请求！这是一种奇怪的行为...... 如果它让您从加密页面执行非加密请求，它也会让您执行加密请求，常识说......事实上我们是对的，它在每个平台上都是如此。
让我们尝试使用 Ajax 从 HTTPS 页面向另一个域发出 HTTP 请求。这可能存在潜在风险，因为请求可能会发送您使用非加密通道通过 HTTPS 接收的敏感数据。令人惊讶的是，这适用于每个平台，没有错误或投诉。这与最后一个结果形成对比，因为我可以向其他域发出不安全的请求，但不能向同一个域发出不安全的请求！这是一种奇怪的行为......
如果它让你从加密页面发出非加密请求，它会让你发出加密请求，常识说......事实上我们是对的，它在每个平台上都是如此。

令我惊讶的是，它不允许您从 HTTPS 页面对同一域（在这种情况下是同一页面）进行 HTTP Ajax 调用，但它允许您对其他域执行此操作。您对这个问题了解更多吗？

Recently I've been carrying on a series of tests to see how HTTPS behaves with normal requests and Ajax requests in different situations. Here is the tests results (I've been using jQuery to do the ajax calls):

When going from a page with Https to a normal Http one, will a popup appear to the user?Result: the ipod touch (IPT from now on) doesn't issue any warning. Neither Chrome. Safari and Firefox will instead come out with a window saying that you are going away from a secure zone. My Android device showed a behaviour similar to IPT and Chrome.
When doing a request using ajax, to a URL with HTTPS from a page with HTTPS: as expected everything works well and no popups show up (they're not supposed to come as we are still using an encrypted channel).
When doing a request using ajax to an URL with HTTP from a page with HTTPS (so we are doing an unsafe request from a safe page): here all requests fail, this is seen in javascript as the request completes, but it gives an empty response. The user is not prompted in any way. The same result is obtained on every device and every desktop browser. It is then impossible to do unsafe Ajax requests to unsafe pages on the same domain.
Let's try to do a HTTP to another domain request using Ajax, from a HTTPS page. This could potentially be a risk, as the request may send sensible data, that you received through HTTPS, using an non encrypted channel. Surprisingly this works on every platform without errors or complaints. This is in contrast with the last result as I can do unsafe requests to other domains, but not to the same one! It is a strange behaviour...
If it let's you do a non encrypted request from an encrypted page, it will let you do an encrypted request, common sense says... in fact we are right, it does on every platform.
Let's try to do a HTTP to another domain request using Ajax, from a HTTPS page. This could potentially be a risk, as the request may send sensible data, that you received through HTTPS, using an non encrypted channel. Surprisingly this works on every platform without errors or complaints. This is in contrast with the last result as I can do unsafe requests to other domains, but not to the same one! It is a strange behaviour...
If it let's you do a non encrypted request from an encrypted page, it will let you do an encrypted request, common sense says... in fact we are right, it does on every platform.

I'm surprised that it doesn't let you do an HTTP Ajax call from a HTTPS page to your same domain (in this situation it was the same page) and it allows you to do it to other domains. Do you know more about this issue?

分享到QQ

分享到微博