CSP: upgrade-insecure-requests - HTTP 编辑
HTTP Content-Security-Policy (CSP) upgrade-insecure-requests指令指示客户端将该站点的所有不安全URL(通过HTTP提供的URL)视为已被替换为安全URL(通过HTTPS提供的URL)。该指令适用于需要重写大量不安全的旧版URL的网站。
upgrade-insecure-requests指令在 block-all-mixed-content 之前被执行,如果其被设置,后者实际上是空操作。可以设置其中一个,但不能同时设置。
The upgrade-insecure-requests directive will not ensure that users visiting your site via links on third-party sites will be upgraded to HTTPS for the top-level navigation and thus does not replace the Strict-Transport-Security (HSTS) header, which should still be set with an appropriate max-age to ensure that users are not subject to SSL stripping attacks.
Syntax
Content-Security-Policy: upgrade-insecure-requests;
Examples
// header Content-Security-Policy: upgrade-insecure-requests; // meta tag <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
一旦将上述头部设置在计划从HTTP迁移到HTTPS的example.com域名上, 非跳转(non-navigational)的不安全资源请求会自动升级到HTTPS(包括第当前域名以及第三方请求)。
<img src="http://example.com/image.png">
<img src="http://not-example.com/image.png">这些URL在请求发送之前都会被改写成HTTPS,也就意味着不安全的请求都不会发送出去。注意,如果请求的资源在HTTPS情况下不可用,则该请求将失败, 其也不能回退到HTTP。
<img src="https://example.com/image.png">
<img src="https://not-example.com/image.png">Navigational upgrades to third-party resources brings a significantly higher potential for breakage, these are not upgraded:
<a href="https://example.com/">Home</a>
<a href="http://not-example.com/">Home</a>Finding insecure requests
通过 Content-Security-Policy-Report-Only HTTP头部和 report-uri 指令,您可以设置执行策略和报告策略,如下所示:
Content-Security-Policy: upgrade-insecure-requests; default-src https: Content-Security-Policy-Report-Only: default-src https:; report-uri /endpoint
That way, you still upgrade insecure requests on your secure site, but the only monitoring policy is violated and reports insecure resources to your endpoint.
Specifications
| Specification | Status | Comment |
|---|---|---|
| Upgrade Insecure Requests upgrade-insecure-requests | Candidate Recommendation | Initial definition. |
Browser compatibility
The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
No compatibility data found. Please contribute data for "http.headers.csp.upgrade-insecure-requests" (depth: 1) to the MDN compatibility data repository.
See also
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论