path: root/files/zh-cn/web/security/secure_contexts/index.html

---
title: Secure contexts
slug: Web/Security/Secure_Contexts
translation_of: Web/Security/Secure_Contexts
---
<p><span class="seoSummary"><strong>安全上下文</strong>是 <code>Window</code> 与 <code>Worker</code> 中的概念</span>满足了最低标准的身份验证和机密性<span class="seoSummary">.</span> 许多Web APIs的访问仅能在安全上下文中. 安全上下文的主要目标是防止 {{interwiki("wikipedia", "man-in-the-middle attack", "MITM attackers")}} 强大的APIs被坏人利用.</p>

<h2 id="为什么要限制某些功能">为什么要限制某些功能?</h2>

<p>有些APIs是非常强大的, 能给攻击者更强的能力以及更多的操作:</p>

<ul>
 <li>侵犯用户隐私.</li>
 <li>获得对用户计算机的低级访问权限.</li>
 <li>获得对数据的访问权限，例如用户凭证.</li>
</ul>

<h2 id="When_is_a_context_considered_secure">When is a context considered secure?</h2>

<p>A context is considered secure when it meets certain minimum standards of authentication and confidentiality defined in the <a href="https://w3c.github.io/webappsec-secure-contexts/">Secure Contexts</a> specification. A particular document is considered to be in a secure context when it is the <a href="https://html.spec.whatwg.org/multipage/browsers.html#active-document">active document</a> of a <a href="https://html.spec.whatwg.org/multipage/browsers.html#top-level-browsing-context">top-level browsing context</a> (basically, a containing window or tab) that is a secure context.</p>

<p>For example, even for a document delivered over TLS within an {{HTMLElement("iframe")}}, its context is <strong>not</strong> considered secure if it has an ancestor that was not also delivered over TLS.</p>

<p>However, it’s important to note that if a non-secure context causes a new window to be created (with or without specifying <a href="/en-US/docs/Web/API/Window/open#noopener">noopener</a>), then the fact that the opener was insecure has no effect on whether the new window is considered secure. That’s because the determination of whether or not a particular document is in a secure context is based only on considering it within the top-level browsing context with which it is associated — and not whether a non-secure context happened to be used to create it.</p>

<p>Locally-delivered resources such as those with <em>http://127.0.0.1</em> URLs, <em>http://localhost</em> URLs (under certain conditions), and <em>file://</em> URLs are also considered to have been delivered securely.</p>

<p>Resources that are not local, to be considered secure, must meet the following criteria:</p>

<ul>
 <li>must be served over <em>https://</em> or <em>wss://</em> URLs</li>
 <li>the security properties of the network channel used to deliver the resource must not be considered deprecated</li>
</ul>

<h2 id="Feature_detection">Feature detection</h2>

<p>Pages can use feature detection to check whether they are in a secure context or not by using the {{domxref("WindowOrWorkerGlobalScope.isSecureContext", "isSecureContext")}} boolean, which is exposed on the global scope.</p>

<pre class="brush: js notranslate">if (window.isSecureContext) {
  // Page is a secure context so service workers are now available
  navigator.serviceWorker.register("/offline-worker.js").then(function () {
    ...
  });
}</pre>

<h2 id="Specifications">Specifications</h2>

<table class="standard-table">
 <tbody>
  <tr>
   <td>Specification</td>
   <td>Status</td>
   <td>Comment</td>
  </tr>
  <tr>
   <td>{{SpecName('Secure Contexts')}}</td>
   <td>{{Spec2('Secure Contexts')}}</td>
   <td>Editor’s Draft</td>
  </tr>
 </tbody>
</table>

<h2 id="See_also">See also</h2>

<ul>
 <li><a href="/en-US/docs/Web/Security/Secure_Contexts/features_restricted_to_secure_contexts">Platform features restricted to secure contexts</a> — a list of the features available only in secure contexts</li>
 <li>{{domxref("Window.isSecureContext")}}</li>
 <li><a href="https://permission.site">https://permission.site</a> — A site that allows you to check what API permission checks your browser employs, over HTTP and HTTPS</li>
 <li><a href="/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security">Strict-Transport-Security</a> HTTP header</li>
</ul>

<div>{{QuickLinksWithSubpages("/en-US/docs/Web/Security")}}</div>