CSP: upgrade-insecure-requests - HTTP 编辑
The HTTP Content-Security-Policy (CSP) upgrade-insecure-requests directive instructs user agents to treat all of a site's insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for web sites with large numbers of insecure legacy URLs that need to be rewritten.
The upgrade-insecure-requests directive is evaluated before block-all-mixed-content and if it is set, the latter is effectively a no-op. It is recommended to set either directive, but not both, unless you want to force HTTPS on older browsers that do not force it after a redirect to HTTP.
The upgrade-insecure-requests directive will not ensure that users visiting your site via links on third-party sites will be upgraded to HTTPS for the top-level navigation and thus does not replace the Strict-Transport-Security (HSTS) header, which should still be set with an appropriate max-age to ensure that users are not subject to SSL stripping attacks.
Syntax
Content-Security-Policy: upgrade-insecure-requests;
Examples
// header Content-Security-Policy: upgrade-insecure-requests; // meta tag <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
With the above header set on a domain example.com that wants to migrate from HTTP to HTTPS, non-navigational insecure resource requests are automatically upgraded (first-party as well as third-party requests).
<img src="http://example.com/image.png">
<img src="http://not-example.com/image.png">These URLs will be rewritten before the request is made, meaning that no insecure requests will hit the network. Note that, if the requested resource is not actually available via HTTPS, the request will fail without any fallback to HTTP.
<img src="https://example.com/image.png">
<img src="https://not-example.com/image.png">Navigational upgrades to third-party resources brings a significantly higher potential for breakage, these are not upgraded:
<a href="https://example.com/">Home</a>
<a href="http://not-example.com/">Home</a>Finding insecure requests
With the help of the Content-Security-Policy-Report-Only header and the report-uri directive, you can set-up an enforced policy and a reported policy like this:
Content-Security-Policy: upgrade-insecure-requests; default-src https: Content-Security-Policy-Report-Only: default-src https:; report-uri /endpoint
That way, you still upgrade insecure requests on your secure site, but the only monitoring policy is violated and reports insecure resources to your endpoint.
Specifications
| Specification | Status | Comment |
|---|---|---|
| Upgrade Insecure Requests The definition of 'upgrade-insecure-requests' in that specification. | Candidate Recommendation | Initial definition. |
Browser compatibility
BCD tables only load in the browser
The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
See also
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论