阻止来自潜在可信来源的混合内容(127.0.0.0/8) [英] Blocking mixed content from potentially trustworthy origins (127.0.0.0/8)
问题描述
我发现没有浏览器设置可将可能信任的域视为不信任,但是这是使127.0.0.1和不信任的几种方法域的行为相同,或生成通常会生成警告的项目报告.
XHR
对于XHR,将条目添加到您的 hosts
文件中就足够了(在Firefox 73.0.1和Chrome 80.0.3987中进行了测试).
#/etc/hosts127.0.0.1 example.com
从 https://example.com 到 这也适用于WebSockets和几个混合内容示例). 如果您希望127.0.0.1像常规域名一样运行,则有两种选择: 添加此CSP指令以仅允许HTTPS图像. 使用 添加此CSP指令可使浏览器对可能被阻止的资源发布JSON报告. 这里有一些Express代码可以做到这一点. 可通过 https://github.com/codebling/mixed-content获得测试服务器-测试 Mixed content isn't blocked for potentially trustworthy origins, including IP addresses from 127.0.0.0 to 127.255.255.255. Can browsers be configured to block mixed content for such addresses? This would make local testing easier. I have found no browser settings to treat potentially trusted domains as untrusted, BUT here are several options to make 127.0.0.1 and untrusted domains behave the same, or to generate a report of items that would normally generate a warning. For XHR, adding an entry to your XHR requests from https://example.com to http://example.com will be blocked by the Mixed Content rules. Note that XHR is still subject CORS and may additionally be blocked by the CORS policy. This also applies to WebSockets and several other connection types. I have found no way to generate only a warning for images or other connection types (you can see a nearly-exhaustive list with examples at Mixed Content Examples). There are two options if you wish 127.0.0.1 to behave as if it were a regular domain: Add this CSP directive to allow only HTTPS images. Use Add this CSP directive to get the browser to POST a JSON report of resources that would have been blocked. Here's some Express code to do that. A test server is available at https://github.com/codebling/mixed-content-test 这篇关于阻止来自潜在可信来源的混合内容(127.0.0.0/8)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!阻止混合内容
Content-Security-Policy:image-src https:
default-src
而不是 image-src
来仅允许所有其他连接类型使用HTTPS.其他连接类型的列表和他们的指令.生成报告
Content-Security-Policy-Report-Only:default-src https :;report-uri/您的端点
让cspCounter = 1;const CSP_VIOLATION_REPORT_ENDPOINT ='/csp-violation-report-endpoint';app.use((req,res,next)=> {res.set('Content-Security-Policy-Report-Only','default-src https :; report-uri $ {CSP_VIOLATION_REPORT_ENDPOINT}`);下一个();});app.post(CSP_VIOLATION_REPORT_ENDPOINT,(req,res)=> {const reportFile =`/tmp/csp-report-$ {cspCounter ++}.json`;req.pipe(fs.createWriteStream(reportFile));req.on('end',()=> res.send('ok'));fs.readFile(reportFile,(err,data)=> debug('csp-report')(err || JSON.parse(data.toString())));});
XHR
hosts
file is enough (tested in Firefox 73.0.1 & Chrome 80.0.3987). # /etc/hosts
127.0.0.1 example.com
<img>
and other non-XHR
Blocking Mixed Content
Content-Security-Policy: image-src https:
default-src
instead of image-src
to allow only HTTPS for all other connection types. List of other connection types and their directives.Generating a report
Content-Security-Policy-Report-Only: default-src https:; report-uri /your-endpoint
let cspCounter = 1;
const CSP_VIOLATION_REPORT_ENDPOINT = '/csp-violation-report-endpoint';
app.use( (req, res, next) => {
res.set('Content-Security-Policy-Report-Only', `default-src https:; report-uri ${CSP_VIOLATION_REPORT_ENDPOINT}`);
next();
});
app.post(CSP_VIOLATION_REPORT_ENDPOINT, (req, res) => {
const reportFile = `/tmp/csp-report-${cspCounter++}.json`;
req.pipe(fs.createWriteStream(reportFile));
req.on('end', () => res.send('ok'));
fs.readFile(reportFile, (err, data) => debug('csp-report')(err || JSON.parse(data.toString())) );
});