从HTTPS页到HTTP(非HTTPS)本地主机地址的混合内容请求未阻止 [英] Mixed-content request from HTTPS page to HTTP (non-HTTPS) localhost address not blocked
问题描述
假设下面的页面是从 https://127.0.100.1
加载的.该页面向 http://127.0.100.2
发送 XMLHttpRequest
.这似乎是 混合内容 :该页面是通过安全连接加载的,资源是通过不安全连接加载的.混合内容应被浏览器阻止.但是,下面的页面可以正常工作.*为什么起作用:为什么请求没有被阻止?
Suppose the page below is loaded from https://127.0.100.1
. The page makes an XMLHttpRequest
to http://127.0.100.2
. This seems like mixed content: The page is loaded over a secure connection and a resource is loaded over an insecure connection. Mixed content should be blocked by the browser. Yet, the page below works just fine.* Why does it work: Why isn't the request blocked?
更新:超出了接受的答案,浏览器
Update: Going beyond the accepted answer, browsers can be configured to block mixed content for such addresses.
* Wireshark确认浏览器未通过安全连接加载资源.
<html>
<body>
<img id="dst"/>
<script>
let xhr = new XMLHttpRequest();
xhr.open('get', 'http://127.0.100.2/img.jpg');
xhr.responseType = 'blob';
xhr.onload = function(){
document.getElementById('dst').src = URL.createObjectURL(xhr.response);
}
xhr.send();
</script>
</body>
</html>
推荐答案
http://127.0.100.2/img.jpg
不被视为混合内容,因为混合内容"规范将其定义为 先验身份验证的网址 ,因为它的范围是127.0.0.0-127.255.255.255(即具有CIDR表示法的主机127.0.0.0/8),其
http://127.0.100.2/img.jpg
isn’t considered mixed content because the Mixed Content spec defines it as a special case of an a priori authenticated URL, due to it being in the range 127.0.0.0 - 127.255.255.255 (that is, a host with the CIDR notation 127.0.0.0/8), which per the Secure Contexts spec is defined as a secure context — even if the protocol isn’t https.
http://localhost/img.jpg
或 http://foo.localhost/img.jpg
这篇关于从HTTPS页到HTTP(非HTTPS)本地主机地址的混合内容请求未阻止的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!