Chrome现在阻止了https到http的所有jsonp请求？ [英] Chrome now blocking all jsonp requests from https to http?

问题描述

在最近的某个时候，Chrome浏览器已停止显示通过jsonp加载的数据，并显示错误消息。 https://user.example.com/category/12345 从http://livedata.example.com/Data.svc/jsonp/GetData?category=12345&callback=_jsp&_1346417951424= 。

它在所有其他浏览器上仍然可以正常工作，并且已在多台运行Chrome的计算机上得到确认。 提及之前我曾看到过这个问题，当时该网页是由Google自己的某个域（Google Apps的一项安全功能，我猜是？）提供的，现在这个功能已经在最新版本的Chrome中的所有域中启用？

理想情况下，我们不希望在我们的livedata子域中启用https，因为它会导致额外的服务器负载，数据全部公开可用，因此没有按需要加密它。

解决方案

它绝对应该阻止它 - 它不安全并且破坏了HTTPS的承诺。 b
$ b

通过创建指向目标的< script> 资源来完成JSONP资源获取。这意味着目标服务器可以在包含页面上运行它所喜欢的任何JavaScript，因此，任何中间人都可以将任意脚本注入到所谓HTTPS保护的页面中（例如添加键盘记录器或完全替换页面内容）。包含来自HTTP的< script> 的HTTPS页面并不比普通的HTTP页面更安全。

如果您希望HTTPS页面能够访问它，则需要提供HTTPS版本的数据馈送。否则，浏览器至少应该发出警告。 Chrome现在默认阻止不会改变问题的性质，只是给您额外的推动力，您需要正确解决它。

At some point recently Chrome has stopped showing data loaded via jsonp with the error

[blocked] The page at https://user.example.com/category/12345 ran insecure content from http://livedata.example.com/Data.svc/jsonp/GetData?category=12345&callback=_jsp&_1346417951424=.

It still works fine on all other browsers, and has been confirmed on several different computers running Chrome.

The only mention I've seen of this problem before is when the page was served from one of Google's own domains (a security feature for Google Apps I guess?), is this something that has been enabled on all domains now in a recent version of Chrome?

Ideally we don't want to have to enable https on our livedata subdomain because of the extra server load it would cause, the data is all publicly available so there's no pressing need to encrypt it.

解决方案

It definitely should block it - it's insecure and breaks the promise of HTTPS.

A JSONP resource fetch is done by creating a <script> resource pointing at the target. That means the target server can run any JavaScript it likes on the including page, and hence any man-in-the-middle can inject arbitrary script into a supposedly-HTTPS-protected page (eg adding a keylogger, or completely replacing the page content). An HTTPS page with a <script> coming from HTTP is no more secure than a plain HTTP page.

You will need to provide an HTTPS version of your data feed, if you want HTTPS pages to be able to access it. Otherwise browsers should, at the very least, produce warnings. Chrome now defaulting to block doesn't change the nature of the problem, it's just giving you the extra push you need to fix it properly.

这篇关于Chrome现在阻止了https到http的所有jsonp请求？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！