可以“显示不安全的内容”是否检测到浏览器提示? [英] Can "Show Insecure Content" Browser Prompt Be Detected?
问题描述
我们都熟悉页面上混合方案(http / https)内容的问题。
We are all familiar with the problem of mixed scheme (http / https) content on a page.
我正在一个不可避免的网站上工作。我不想阻止此。我知道有很多问题/答案。
I'm working on a site on which this is unavoidable. I do not want to prevent this. I know there are a ton of questions / answers on that.
我需要的只是检测这个(通过JavaScript?)所以我可以调整页面行为(显示降级行为的通知或某事)。有什么帮助吗?
What I need is simply to detect this (via JavaScript?) so I can tweak the page behavior (show a notice of degraded behavior or something). Any help?
推荐答案
这很麻烦,但我设法用JavaScript来解决所有浏览器中的问题。让我看看我是否可以草拟它。
It's hacky, but I managed to fix this in all browsers with just JavaScript. Let me see if I can sketch it out.
我们有这个基本的加密页面:
We have this basic encrypted page:
<html>
<body>
<div> stuff </div>
<iframe src="URL_WHICH_IS_MAYBE_INSECURE"></iframe>
</body>
</html>
当 URL_WHICH_IS_MAYBE_INSECURE
是https时,一切都很好。但是当 URL_WHICH_IS_MAYBE_INSECURE
为http时,IE将不加载内容,除非用户确定不安全/混合内容。我想告诉用户页面有点被破坏,直到他们点击允许。由于我无法进入的原因,我知道所有网站都值得信赖。只是其中一些不支持SSL而且父站点需要。
When URL_WHICH_IS_MAYBE_INSECURE
is https, all is good. But when URL_WHICH_IS_MAYBE_INSECURE
is http, IE will not load the content unless the user OK's insecure/mixed content. I want to tell the user the page is kinda busted until they click allow. For reasons I can't go into, I know all the sites are trustworthy. Just some of them do not support SSL and the parent site needs to.
AFAIK,我无法用JS检测到这个对话框/半加载状态。但我能做的就是在他们允许的情况下在不安全的连接上运行JS(这也使iframe成为可能)。当 URL_WHICH_IS_MAYBE_INSECURE
为http&时,仅该网站是https(混合)我添加两位代码+ HTML。
AFAIK, I cannot detect this dialog / semi-loaded state with JS. But what I can do is run JS over an insecure connection IF they allow it (which also makes the iframe go). So only when URL_WHICH_IS_MAYBE_INSECURE
is http & the site is https (mixed) I add two bits of code + HTML.
<html>
<body>
<div> stuff </div>
@if(needSpecialHandlingForMixedMode) {
<div id="secureWarn">
WARNING: This page has limited functionality, allow mixed content
</div>
}
<iframe src="URL_WHICH_IS_MAYBE_INSECURE"></iframe>
</body>
@if (needSpecialHandlingForMixedMode)
{
string baseUrl = Request.Url.SchemeAndHostAndPort().Replace("https", "http");
<script src="@baseUrl/scripts/security-warning.js"></script>
}
</html>
且脚本是
$(document).ready(function(e) {
$("#secureWarn").remove();
});
所以就像这样。
- 如果是混合模式,iframe和脚本只会在用户允许的情况下加载。默认情况下,这在IE中是不允许的,默认情况下允许在Chrome& FireFox。
- 如果他们什么都不做(例如,在IE中不允许),它会使警告div保持可见。
- 如果他们单击它,iframe加载,现在脚本也运行(因为它不安全回到我的服务器),这将从页面中删除警告。
- 幸福开始......
- If mixed-mode both the iframe and script will only load if the user allows it. This is not allowed by default in IE and is allowed by default in Chrome & FireFox.
- If they do nothing (don't allow in IE, for example), it will keep the warning div visible.
- If they do click it, the iframe loads, and now the script also runs (because it was insecure back to my server), this removes the warning from the page.
- Happiness commences...
希望这有助于某人。
干杯,
Michael
Cheers, Michael
这篇关于可以“显示不安全的内容”是否检测到浏览器提示?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!