files/zh-cn/web/http/headers/content-security-policy/block-all-mixed-content/index.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

---
title: 'CSP: block-all-mixed-content'
slug: Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content
translation_of: Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content
---
<div>{{HTTPSidebar}}</div>

<p>HTTP 协议首部字段 {{HTTPHeader("Content-Security-Policy")}} (CSP) 中的 <code><strong>block-all-mixed-content</strong></code> 指令在当前页面为通过 HTTPS 协议加载的情况下禁止通过 HTTP 渠道加载任何资源。</p>

<p>任何<a href="/en-US/docs/Web/Security/Mixed_content">混合类型</a>的资源请求都是被禁止的，包括混合活动内容和混合被动内容。这一条也适用于 {{HTMLElement("iframe")}} 中的文档，确保整体页面都不包含混合内容。</p>

<p>{{CSP("upgrade-insecure-requests")}} 指令会在 <code>block-all-mixed-content</code> 之前执行；如果前者执行成功，后者就不再发挥任何作用。推荐的做法是设置二者之一，而不是全部。</p>

<h2 id="语法">语法</h2>

<pre class="syntaxbox">Content-Security-Policy: block-all-mixed-content;</pre>

<h2 id="示例">示例</h2>

<pre>Content-Security-Policy: block-all-mixed-content;

&lt;meta http-equiv="Content-Security-Policy" content="block-all-mixed-content"&gt;
</pre>

<p>为了在更细粒度上限制对 http 资源的访问，你可以将个别指令的值设置为 "https:"。例如，为了限制对不安全的走 http 协议的图片的访问，可以这么做：</p>

<pre>Content-Security-Policy: img-src https:</pre>

<h2 id="规范">规范</h2>

<table class="standard-table">
 <tbody>
  <tr>
   <th scope="col">Specification</th>
   <th scope="col">Status</th>
   <th scope="col">Comment</th>
  </tr>
  <tr>
   <td>{{specName("Mixed Content", "#block-all-mixed-content", "block-all-mixed-content")}}</td>
   <td>{{Spec2('Mixed Content')}}</td>
   <td>Initial definition.</td>
  </tr>
 </tbody>
</table>

<h2 id="浏览器兼容性">浏览器兼容性</h2>

<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p>

<p>{{Compat("http.headers.csp.block-all-mixed-content")}}</p>

<h2 id="相关内容">相关内容</h2>

<ul>
 <li>{{HTTPHeader("Content-Security-Policy")}}</li>
 <li>{{CSP("upgrade-insecure-requests")}}</li>
 <li><a href="/en-US/docs/Web/Security/Mixed_content">Mixed content</a></li>
</ul>