我已安装(非通配符)SSL证书,因此我的网站可以使用HTTPS。当我尝试从HTTP url请求资源时,我得到错误消息像:
I have installed a (non wildcard) SSL certificate so my website can use HTTPS. When I try to request resources from HTTP urls I get error-message like:
混合内容: example/ 已通过 HTTPS加载,但请求了不安全的样式表' resources.example/style.css 。此请求已被阻止;内容必须通过HTTPS提供。
Mixed Content: The page at 'example/' was loaded over HTTPS, but requested an insecure stylesheet 'resources.example/style.css'. This request has been blocked; the content must be served over HTTPS.
我认为根据人们可能有的各种意见,这可能是一个不好的做法它涉及到http和https的混合,但我只要求静态资源,我不认为对http的关键。
I get that it probably is a bad practice according to all kinds of opinions people might have when it comes to mix http and https, but I only ask for static resources that I don't regard as critical over http.
试图谷歌允许http请求从https用iis和类似,但找不到一个明确的答案。有没有办法解决这个问题,它是可解决的CORS是相同的方式?
Tried to google "allow http requests from https with iis" and similar, but can't find a clear answer. Is there a way around this, is it solvable the same way CORS is?
对不起,如果问题不是很聪明,如果答案是明显的,但我缺乏相当一些知识一些当它涉及到网络的东西。
Sorry if the question isn't very smart and if the answer is obvious, but I lack quite some knowledge some when it comes to networking stuff.
推荐答案
stylesheet ...静态资源我不认为这对http是至关重要的。
stylesheet ... static resources that I don't regard as critical over http.
CSS可以包括脚本和脚本可以改变页面,所以它被认为是关键。
CSS can include script and script can alter the page, so it is considered critical.
...允许来自https和iis的http请求... ...
..."allow http requests from https with iis" ...
拒绝混合内容的决定是在浏览器中完成的。没有设置允许浏览器包含混合内容。对于被视为混合内容的行为在浏览器和版本之间有所不同,请参阅
The decision to deny mixed content is done within the browser. There is no setting which will allow the browser to include mixed content. The behavior on what is considered mixed content differs between browsers and versions, look here for more information from a year ago.
CORS的安全模型关心同源策略和服务器决定另一方可能会执行CORS请求。 但在这种情况下,问题是内容是否可能在任何人(即中间人攻击)的传输过程中被修改。
The security model of CORS cares about same origin policy and a server may decide that a specific other side might do a CORS request. But in this case it is the question if the content might be modified in transit by anybody (i.e. man-in-the-middle attack).
更多推荐
可以允许来自HTTPS网站的HTTP请求?
发布评论