Chrome 现在阻止从 https 到 http 的所有 jsonp 请求? [英] Chrome now blocking all jsonp requests from https to http?
问题描述
最近 Chrome 停止显示通过 jsonp 加载的数据并出现错误
At some point recently Chrome has stopped showing data loaded via jsonp with the error
[已阻止] https://user.example.com/category/12345 上的页面运行了来自http://livedata.example.com/Data.svc/jsonp/GetData?category=12345&callback=_jsp&_1346417951424=.
[blocked] The page at https://user.example.com/category/12345 ran insecure content from http://livedata.example.com/Data.svc/jsonp/GetData?category=12345&callback=_jsp&_1346417951424=.
它在所有其他浏览器上仍然可以正常工作,并且已经在运行 Chrome 的多台不同计算机上得到确认.
It still works fine on all other browsers, and has been confirmed on several different computers running Chrome.
我之前唯一提到过这个问题是当页面是从 Google 自己的域之一提供时(我猜是 Google Apps 的安全功能?),现在所有域都启用了这个功能吗?最新版本的 Chrome?
The only mention I've seen of this problem before is when the page was served from one of Google's own domains (a security feature for Google Apps I guess?), is this something that has been enabled on all domains now in a recent version of Chrome?
理想情况下,我们不希望在我们的 livedata 子域上启用 https,因为它会导致额外的服务器负载,数据都是公开可用的,因此没有迫切需要对其进行加密.
Ideally we don't want to have to enable https on our livedata subdomain because of the extra server load it would cause, the data is all publicly available so there's no pressing need to encrypt it.
推荐答案
它绝对应该阻止它 - 它不安全并且违背了 HTTPS 的承诺.
It definitely should block it - it's insecure and breaks the promise of HTTPS.
JSONP 资源获取是通过创建一个指向目标的 资源来完成的.这意味着目标服务器可以在包含页面上运行它喜欢的任何 JavaScript,因此任何中间人都可以将任意脚本注入到所谓的 HTTPS 保护页面(例如添加键盘记录器,或完全替换页面内容).带有来自 HTTP 的
的 HTTPS 页面并不比普通 HTTP 页面更安全.
A JSONP resource fetch is done by creating a <script>
resource pointing at the target. That means the target server can run any JavaScript it likes on the including page, and hence any man-in-the-middle can inject arbitrary script into a supposedly-HTTPS-protected page (eg adding a keylogger, or completely replacing the page content). An HTTPS page with a <script>
coming from HTTP is no more secure than a plain HTTP page.
如果您希望 HTTPS 页面能够访问它,您需要提供数据 Feed 的 HTTPS 版本.否则浏览器至少应该产生警告.Chrome 现在默认阻止并不会改变问题的性质,它只是为您提供了正确修复它所需的额外推动力.
You will need to provide an HTTPS version of your data feed, if you want HTTPS pages to be able to access it. Otherwise browsers should, at the very least, produce warnings. Chrome now defaulting to block doesn't change the nature of the problem, it's just giving you the extra push you need to fix it properly.
这篇关于Chrome 现在阻止从 https 到 http 的所有 jsonp 请求?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!