如何使用content-security-policy元标记允许混合内容(带有https的HTTP)? [英] How can I allow Mixed contents (http with https) using content-security-policy meta tag?
问题描述
我正在强迫https访问我的网站,但是某些内容必须通过http加载(例如,视频内容不能通过https加载),但是浏览器由于mixed-contents而阻止了该请求政策.
I'm forcing https to access my website, but some of the contents must be loaded over http (for example video contents can not be over https), but the browsers block the request because of mixed-contents policy.
经过数小时的搜索,我发现我可以使用 Content-Security-Policy ,但是我不知道如何允许混合内容.
After hours of searching I found that I can use Content-Security-Policy but I have no idea how to allow mixed contents with it.
<meta http-equiv="Content-Security-Policy" content="????">
推荐答案
您不能.
CSP可以限制您网站上的内容,而不是放松浏览器限制.
CSP is there to restrict content on your website, not to loosen browser restrictions.
安全的https站点为用户提供了一定的保证,然后允许在其上加载http内容是不公平的(因此出现了混合内容警告),如果您在未经用户同意的情况下可以隐藏这些警告,那是不公平的.
Secure https sites given users certain guarantees and it's not really fair to then allow http content to be loaded over it (hence the mixed content warnings) and really not fair if you could hide these warnings without your users consent.
您可以使用CSP来帮助迁移到https,例如:
You can use CSP for a couple of things to aid a migration to https, for example:
-
您可以使用它自动将http请求升级为https(尽管浏览器支持并不普遍).如果您错过了将http链接更改为等效的https的功能,这将有所帮助.但是,这假设资源可以通过https加载,并且听起来像您无法通过https加载资源,所以这不是一种选择.
You can use it to automatically upgrade http request to https (though browser support isn't universal). This helps in case you missed changing a http link to https equivalent. However this assumes the resource can be loaded over https and sounds like you cannot load them over https so that's not an option.
您还可以使用CSP通过向服务进行报告,该服务可以监视您说试图加载http资源,从而帮助您确定站点上丢失的任何http资源.这样一来,您可以识别并修复指向https的http链接,从而不必依赖上述自动升级.
You can also use CSP to help you identify any http resources on you site you missed by reporting back a message to a service you can monitor to say a http resource was attempted to be loaded. This allows you identify and fix the http links to https so you don't have to depend on above automatic upgrade.
但您并不是真正想要的东西.
But neither is what you are really looking for.
这篇关于如何使用content-security-policy元标记允许混合内容(带有https的HTTP)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
