blob: 68eb2c5036cca2e6fae28a576ac63fef54d01fe2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
---
title: 'CSP: upgrade-insecure-requests'
slug: Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests
translation_of: Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests
---
<div>{{HTTPSidebar}}</div>
<p> </p>
<p>HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) <code><strong>upgrade-insecure-requests</strong></code>指令指示客户端将该站点的所有不安全URL(通过HTTP提供的URL)视为已被替换为安全URL(通过HTTPS提供的URL)。该指令适用于需要重写大量不安全的旧版URL的网站。</p>
<p><code>upgrade-insecure-requests</code>指令在 {{CSP("block-all-mixed-content")}} 之前被执行,如果其被设置,后者实际上是空操作。可以设置其中一个,但不能同时设置。</p>
<p>The <code>upgrade-insecure-requests</code> directive will not ensure that users visiting your site via links on third-party sites will be upgraded to HTTPS for the top-level navigation and thus does not replace the {{HTTPHeader("Strict-Transport-Security")}} ({{Glossary("HSTS")}}) header, which should still be set with an appropriate <code>max-age</code> to ensure that users are not subject to SSL stripping attacks.</p>
<h2 id="Syntax">Syntax</h2>
<pre class="syntaxbox">Content-Security-Policy: upgrade-insecure-requests;</pre>
<h2 id="Examples">Examples</h2>
<pre>// header
Content-Security-Policy: upgrade-insecure-requests;
// meta tag
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
</pre>
<p>一旦将上述头部设置在计划从HTTP迁移到HTTPS的example.com域名上, 非跳转(non-navigational)的不安全资源请求会自动升级到HTTPS(包括第当前域名以及第三方请求)。</p>
<pre class="brush: html"><img src="http://example.com/image.png">
<img src="http://not-example.com/image.png"></pre>
<p>这些URL在请求发送之前都会被改写成HTTPS,也就意味着不安全的请求都不会发送出去。注意,如果请求的资源在HTTPS情况下不可用,则该请求将失败, 其也不能回退到HTTP。</p>
<pre class="brush: html"><img src="https://example.com/image.png">
<img src="https://not-example.com/image.png"></pre>
<p>Navigational upgrades to third-party resources brings a significantly higher potential for breakage, these are not upgraded:</p>
<pre class="brush: html"><a href="https://example.com/">Home</a>
<a href="http://not-example.com/">Home</a></pre>
<h3 id="Finding_insecure_requests">Finding insecure requests</h3>
<p>通过 {{HTTPHeader("Content-Security-Policy-Report-Only")}} HTTP头部和 {{CSP("report-uri")}} 指令,您可以设置执行策略和报告策略,如下所示:</p>
<pre>Content-Security-Policy: upgrade-insecure-requests; default-src https:
Content-Security-Policy-Report-Only: default-src https:; report-uri /endpoint</pre>
<p>That way, you still upgrade insecure requests on your secure site, but the only monitoring policy is violated and reports insecure resources to your endpoint.</p>
<h2 id="Specifications">Specifications</h2>
<table class="standard-table">
<tbody>
<tr>
<th scope="col">Specification</th>
<th scope="col">Status</th>
<th scope="col">Comment</th>
</tr>
<tr>
<td>{{specName("Upgrade Insecure Requests", "#delivery", "upgrade-insecure-requests")}}</td>
<td>{{Spec2('Upgrade Insecure Requests')}}</td>
<td>Initial definition.</td>
</tr>
</tbody>
</table>
<h2 id="Browser_compatibility">Browser compatibility</h2>
<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p>
<p>{{Compat("http.headers.csp.upgrade-insecure-requests")}}</p>
<h2 id="See_also">See also</h2>
<ul>
<li>{{HTTPHeader("Content-Security-Policy")}}</li>
<li>{{HTTPHeader("Upgrade-Insecure-Requests")}} header</li>
<li>{{HTTPHeader("Strict-Transport-Security")}} ({{Glossary("HSTS")}}) header</li>
<li>{{CSP("block-all-mixed-content")}}</li>
<li><a href="/en-US/docs/Web/Security/Mixed_content">Mixed content</a></li>
</ul>
|
