如何避免“此页面包含安全和非安全项目”在我的浏览器中警告? [英] How can I avoid the "This page contains both secure and non secure items" warning in my browser?
问题描述
我们正在考虑在我们的网站上启用SSL功能,但有些网页包含来自第三方供应商的广告(如Google AdSense)。
我想这会为我们的用户创建一个烦人的问题,因为他们在看到带有广告的页面时会看到此页面包含安全和非安全项目之类的警告消息。但是,当我使用https而不是http浏览Gmail时,我在Firefox中看不到该警告。
有人知道Gmail如何隐藏它吗?
某些页面包含来自第三方供应商的广告(如Google AdSense)
然后浏览器是正确的 - t安全。
通过AdSense和大多数其他广告网络,您可以获得JavaScript的链接。当您引用任何外部< script>时,您将完全信任您的页面内容到外部脚本提供程序。你需要信任他们只做他们打算做的事(展示广告),而不是像从其所在页面接管登录表单那样的恶意行为,并窃取你键入的值,或者,如果广告脚本包含在您的银行账户页面上,自动清空所有的钱。
因此,外部脚本是一个信任问题,但如果您使用的是供应商为他们的广告提供HTTPS接口,那么至少它只是一个你必须信任的已知方。如果广告提供商只有HTTP界面,那么您就会向任何可以通过中间人攻击或类似攻击获取控制权的人发送信任。您正在有效地将整个页面的信任级别降低为普通的未加密HTTP,因此浏览器非常正确地指出该页面实际上并不比任何旧的HTTP站点更安全。We are thinking to SSL enabled part of our website, but some page contains ads from third party vendor (like Google AdSense).
I'd think this will create a annoying problem for our users since they are going to see warning message like "This page contains both secure and non secure items" when they view a page with ads. However, when I browse to Gmail with https instead of http, I don't see that warning in firefox.
Does anyone know how Gmail hide this?
some page contains ads from third party vendor (like Google AdSense)
Then the browser is right — that isn't secure.
With AdSense and most other ad networks you are given a link to JavaScript. When you refer to any external <script>, you are giving complete trust over the contents of your page to the external script provider. You need to trust them to do only what they say they're going to do (show an ad), and not something nefarious like take over the login form from the page it's on and steal values you type into it, or, if the "ad" script were included on your bank account page, automatically empty out all your money.
So external scripts are a trust problem, but if you are using a vendor that provides an HTTPS interface to their ads, then at least it's only one known party you have to trust. If the ad provider only has an HTTP interface, then you're sending out your trust to anyone who can grab control with a man-in-the-middle or similar attack. You are effectively reducing the trust level of your entire page to that of plain unencrypted HTTP, so the browser is quite correct to complain that the page isn't actually any more secure than any old HTTP site.
这篇关于如何避免“此页面包含安全和非安全项目”在我的浏览器中警告?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
