问题描述
假设我的网站是通过HTTPS而我需要从<$ c $加载 CSS
或对象
资源c> HTTP ,我该怎么做?
Suppose my website is over HTTPS and I need to load a CSS
or Object
resource from HTTP
, how can I do this?
请注意我可以添加 Content-Security -Policy
到 HTTPS
网站上的响应标题,但我不知道如何做到这一点。有人可以给我一个解决方案吗?
Please note that I'm able to add Content-Security-Policy
to the response headers over the HTTPS
websites but I don't exactly know how can I do this. Can someone give me a solution?
推荐答案
没有解决方案。现代浏览器将拒绝将非https资源用于https提供的页面,因为您通过这种方式有效地破坏了https的安全模型。 CSP无济于事,因为它无法解决问题。您唯一的选择是通过http为网站提供服务,或者通过您自己的网站从外部非https网站提供代理服务。但请注意,后一种选择也可能会影响安全模型,因为现在这些外部资源被视为源自您自己内容的同一域,因此可能会滥用相同的源策略。
There is no solution. Modern browsers will deny using non-https resources into pages served by https because you effectively undermine the security model of https this way. CSP will not help because it does not fix the issue. Your only choice is to either serve the site by http or to proxy includes from external non-https sites by your own site. But note that the latter option might affect the security model too, because now these external resources are seen as originating by the same domain as your own content and thus could misuse the same origin policy.
这篇关于允许通过HTTPS加载HTTP资源的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!