是否有任何理由不在通过http提供的页面上提供https内容？ [英] Is there any reason not to serve https content on a page served over http?

问题描述

我目前在只能通过https访问的域上提供图像内容。在通过http访问的页面上使用https路径提供图像的缺点是什么？有任何缓存注意事项吗？我正在使用HttpRuntime.Cache对象来存储从数据库中检索的绝对图像路径。

I currently have image content being served on a domain that is only accessible over https. What is the downside of serving an image with an https path on a page accessed over http? Are there any caching considerations? I'm using an HttpRuntime.Cache object to store the absolute image path, which is retrieved from a database.

• 我假设如果图像只能通过https访问，那么使用协议相对URL没有任何好处吗？

• I assume there is no benefit to using protocol-relative URLs if the image is only accessible over https?

是否有令人信服的理由我应该设置一个单独的虚拟目录也通过http提供图像内容？

Is there a compelling reason why I should set up a separate virtual directory to also serve the image content over http?

推荐答案

• 如果在HTTP页面中通过HTTPS提供的内容不是特别敏感，并且同样可以通过HTTP提供服务，则没有任何缺点（可能是一些性能问题，不一定很多，并且缺少缓存，具体取决于服务器的配置方式：您可以缓存一些HTTPS内容。）

  • If the content served over HTTPS within the HTTP page isn't particularly sensitive and could equally be served over HTTP, there is no downside (perhaps some performance issues, not necessarily much, and lack of caching, depending on how your server is configured: you can cache some HTTPS content).

    如果基于HTTPS的内容服务器足够敏感以激励使用HTTPS，这实际上是不好的做法。

    If the content server over HTTPS is sufficiently sensitive to motivate the usage of HTTPS, this is really bad practice.

    检查正确使用和使用HTTPS完全由客户及其用户负责（这就是从HTTP到HTTPS的自动重定向的原因）部分有用，例如）。虽然其中一些与证书验证的技术性有关，但HTTPS提供的许多安全性来自用户：

    Checking that HTTPS is used and used correctly is solely the responsibility of the client and its user (this is why automatic redirections from HTTP to HTTPS are only partly useful, for example). Although some of it has to do with the technicalities of certificate verification, a lot of the security offered by HTTPS comes from the fact that the user:

    
    
    1. 期望使用HTTPS（否则它们很容易被降级），
    
    
    2. 能够验证证书的有效性：绿色/蓝色条，对应于它们所在的主机名期待是。
    
    

    从技术角度来看，HTTP严格传输安全可以解决第一点。

    The first point can be addressed by HTTP Strict Transport Security, from a technical point of view.

    第二个需要使用的互动。如果您访问银行的网站，它不仅必须是具有有效证书的网站，而且您还应该检查它确实是您银行的域名。

    The second needs used interaction. If you go to your bank's website, it must not only be a site with a valid certificate, but you should also check that it's indeed the domain name of your bank, for example.

    在HTTP页面中嵌入HTTPS内容会使此失败，因为用户无法检查正在使用的站点，并且实际上根本使用了HTTPS。在某种程度上，在HTTPS页面中嵌入来自第三方的HTTPS内容也会出现此问题（这是 3-D Secure ，可以使用HTTPS提供，但使用iframe不会使实际使用的网站可见。）

    Embedding HTTPS content in an HTTP page defeats this, since the user can't check which site is being used, and that HTTPS is used at all in fact. To some extent, embedding HTTPS content from a third party in an HTTPS page also presents this problem (this is one of the problems with 3-D Secure, which may well be served using HTTPS, but using an iframe doesn't make which site is actually used visible.)

    这篇关于是否有任何理由不在通过http提供的页面上提供https内容？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！