当页面通过https提供安全和非安全项目时,安全项目是否受到损害? [英] When a page delivers secure and non-secure items over https, are the secure items compromised?
问题描述
我不是100%确定我使用的是正确的术语,或者我是否遗漏了需要回答的信息。所以请耐心等待。
I'm not 100% sure that I'm using the correct terminology or if I'm leaving out information that is required to answer. So please be patient with me.
我的客户希望在其网站的成员区域内包含来自外部来源的视频。会员区域通过https传送,视频传送不是。这是否会危及安全数据?
My client wants to include a video feed from an outside source inside a members area of their website. The members area is delivered over https and the video feed is not. Does this compromise the secure data?
我知道某些浏览器会提醒用户页面上正在加载安全和非安全数据。坦率地说,我的客户对此很满意,但如果用户帐户信息(特别是会话等)遭到破坏,我不想继续前进。
I know that some browsers alert the user that there are secure and non-secure data being loaded on the page. Frankly, my client is okay with that, but I don't want to move forward if the user account information (specifically, session, etc.) is compromised.
谢谢任何帮助。
推荐答案
如果您的网页引用了未加密的Javascript或Flash,那么您完全没有受到保护;攻击者可以替换他想要的任何Javascript,并且可以窃取非HTTP专用cookie,或者发出冒充当前用户的任意HTTP请求。
If your pages references unencrypted Javascript or Flash, you're totally unprotected; an attacker can substitute any Javascript he wants, and can steal non-HTTP-only cookies, or make arbitrary HTTP requests that impersonate the current user.
如果您引用未加密的CSS ,你仍然很脆弱;攻击者可以随意修改你的布局,可以在IE和Firefox中执行任意代码 。
If you reference unencrypted CSS, you're still vulnerable; attackers can arbitrarily modify your layout, and can execute arbitrary code in IE and Firefox.
如果您引用未加密的图像,那么您大部分时间都可以。攻击者可以做的就是查看Referer标题并找出用户看到的页面。 (他还将为图像的域获取任何非SSL的cookie)。
攻击者也可以改变图像以满足他的需求,这可能是一个问题。
If you reference unencrypted images, you're mostly fine; all the attacker can do is see the Referer header and find out what page the user is seeing. (He'll also get any non-SSL-only cookies for the image's domain). The attacker can also alter the images to suit his needs, which may be a concern.
这篇关于当页面通过https提供安全和非安全项目时,安全项目是否受到损害?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
