iOS9 不会从安全页面加载不安全的资源(SSL/HTTPS) [英] iOS9 does not load insecure resources from a secure page (SSL/HTTPS)

查看:48
本文介绍了iOS9 不会从安全页面加载不安全的资源(SSL/HTTPS)的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在尝试使用 https://URL 将页面加载到 iOS9 上的 UIWebView.加载的页面包括来自不安全服务器的 CSS 和图像.

I am trying to load a page into UIWebView on iOS9 using https:// URL. The page loaded includes CSS and images from an insecure server.

例如加载的页面:https://www.example.com/ 其中包括样式表http://www.example.com/style.css 和图片 http://www.example.com/image.jpg

E.g. the page loaded: https://www.example.com/ which includes stylesheet http://www.example.com/style.css and image http://www.example.com/image.jpg

如果原始页面是通过不安全的连接(常规 http)加载的,则一切正常.一切都可以通过 HTTPS 和 HTTP 在 iOS8 上运行.

Everything works if the original page is loaded via insecure connection (regular http). Everything works also on iOS8 both via HTTPS and HTTP.

我确实在应用程序 PLIST 文件中将 NSAppTransportSecurity 设置为 NSAllowsArbitraryLoads:

I did set NSAppTransportSecurity to NSAllowsArbitraryLoads in application PLIST file:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

虽然通过 HTTPS 加载页面时,图像加载正常,但 CSS 文件加载不正常.似乎 UIWebView 会阻止从安全页面加载不安全的资源.

Though when loading the page via HTTPS, the images are loaded OK, but CSS files are not. Seems like UIWebView blocks loading insecure resources from a secure page.

是否有任何 UIWebView 设置允许通过不安全的连接加载 CSS?

Is there any setting of UIWebView that will allow to load CSS via insecure connection?

推荐答案

这与 ATS 无关.WebKit 强制执行混合内容策略,当通过 https 提供主机页面时,禁止通过不安全的连接加载对某些类别的活动"内容(JS、CSS 等)的访问.

This is not related to ATS. WebKit enforces a mixed content policy that disallows access to certain classes of "active" content (JS, CSS, etc) from being loaded over an insecure connection when the host page is being served over https.

如果您在 Inspector 中检查您的页面,您将在错误面板中看到此报告.

If you examine your page in the Inspector you will see this being reported in the error panel.

跟进:您无法关闭混合内容阻止功能.允许不安全的 CSS 或 JS 会将整个页面的安全性降低到最不安全的资源.如果必须通过 http 加载 css/js,解决方案是通过 http 加载整个页面.这样,用户看到的 UI 就能正确反映内容的安全性.

Follow up: You can't turn off mixed content blocking. Allowing insecure CSS or JS reduces the security of the entire page to that of the least secure resource. The solution if you must load css/js over http is to load the entire page over http. That way the UI seen by the user correctly reflects the security of the content.

这篇关于iOS9 不会从安全页面加载不安全的资源(SSL/HTTPS)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆