可以“显示不安全的内容”是否检测到浏览器提示？ [英] Can "Show Insecure Content" Browser Prompt Be Detected?

问题描述

我们都熟悉页面上混合方案（http / https）内容的问题。

We are all familiar with the problem of mixed scheme (http / https) content on a page.

我正在一个不可避免的网站上工作。我不想阻止此。我知道有很多问题/答案。

I'm working on a site on which this is unavoidable. I do not want to prevent this. I know there are a ton of questions / answers on that.

我需要的只是检测这个（通过JavaScript？）所以我可以调整页面行为（显示降级行为的通知或某事）。有什么帮助吗？

What I need is simply to detect this (via JavaScript?) so I can tweak the page behavior (show a notice of degraded behavior or something). Any help?

推荐答案

这很麻烦，但我设法用JavaScript来解决所有浏览器中的问题。让我看看我是否可以草拟它。

It's hacky, but I managed to fix this in all browsers with just JavaScript. Let me see if I can sketch it out.

我们有这个基本的加密页面：

We have this basic encrypted page:

<html> 
   <body>
        <div> stuff </div>
        <iframe src="URL_WHICH_IS_MAYBE_INSECURE"></iframe>
   </body>
</html>

当 URL_WHICH_IS_MAYBE_INSECURE 是https时，一切都很好。但是当 URL_WHICH_IS_MAYBE_INSECURE 为http时，IE将不加载内容，除非用户确定不安全/混合内容。我想告诉用户页面有点被破坏，直到他们点击允许。由于我无法进入的原因，我知道所有网站都值得信赖。只是其中一些不支持SSL而且父站点需要。

When URL_WHICH_IS_MAYBE_INSECURE is https, all is good. But when URL_WHICH_IS_MAYBE_INSECURE is http, IE will not load the content unless the user OK's insecure/mixed content. I want to tell the user the page is kinda busted until they click allow. For reasons I can't go into, I know all the sites are trustworthy. Just some of them do not support SSL and the parent site needs to.

AFAIK，我无法用JS检测到这个对话框/半加载状态。但我能做的就是在他们允许的情况下在不安全的连接上运行JS（这也使iframe成为可能）。当 URL_WHICH_IS_MAYBE_INSECURE 为http&时，仅该网站是https（混合）我添加两位代码+ HTML。

AFAIK, I cannot detect this dialog / semi-loaded state with JS. But what I can do is run JS over an insecure connection IF they allow it (which also makes the iframe go). So only when URL_WHICH_IS_MAYBE_INSECURE is http & the site is https (mixed) I add two bits of code + HTML.

<html> 
   <body>
        <div> stuff </div>
        @if(needSpecialHandlingForMixedMode) {
            <div id="secureWarn">
                 WARNING: This page has limited functionality, allow mixed content
             </div>
        }
        <iframe src="URL_WHICH_IS_MAYBE_INSECURE"></iframe>
   </body>

   @if (needSpecialHandlingForMixedMode)
   {
      string baseUrl = Request.Url.SchemeAndHostAndPort().Replace("https", "http");
      <script src="@baseUrl/scripts/security-warning.js"></script>
   }
</html>

且脚本是

$(document).ready(function(e) {
    $("#secureWarn").remove();
});

所以就像这样。

1. 如果是混合模式，iframe和脚本只会在用户允许的情况下加载。默认情况下，这在IE中是不允许的，默认情况下允许在Chrome& FireFox。


2. 如果他们什么都不做（例如，在IE中不允许），它会使警告div保持可见。


3. 如果他们单击它，iframe加载，现在脚本也运行（因为它不安全回到我的服务器），这将从页面中删除警告。


4. 幸福开始......

1. If mixed-mode both the iframe and script will only load if the user allows it. This is not allowed by default in IE and is allowed by default in Chrome & FireFox.
2. If they do nothing (don't allow in IE, for example), it will keep the warning div visible.
3. If they do click it, the iframe loads, and now the script also runs (because it was insecure back to my server), this removes the warning from the page.
4. Happiness commences...

希望这有助于某人。

干杯，
Michael

Cheers, Michael

这篇关于可以“显示不安全的内容”是否检测到浏览器提示？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！