从Javascript中检测损坏的锁定图标（混合安全/不安全内容） [英] Detect broken lock icon (mixed secure/insecure content) from Javascript

问题描述

我正在努力使网站在HTTPS下完全正常运行。作为其中的一部分，我想确保我们永远不会打破锁定。也就是说，我们永远不应该在SSL页面上加载非SSL内容，这可能会触发警告或其他指示符，具体取决于浏览器。为了验证这种情况，我想做两件事：

I'm working on making a site fully functional under HTTPS. As part of this, I'd like to ensure we never "break the lock." That is, we should never load non-SSL content on an SSL page, which can trigger a warning or other indicator depending on the browser. To verify this is the case, I'd like to do two things:

1. 编写Selenium测试，验证各种操作不会破坏锁定。


2. 在JS中编写日志代码，在用户会话期间检查锁是否已损坏，如果存在则返回服务器。

是否有任何方法可以在JS中用来检查浏览器的HTTPS锁图标的损坏/未损坏状态？或者等价地，当前页面内容的混合/非混合状态？

Is there any method that can be used in JS to check the broken / not broken state of the browser's HTTPS lock icon? Or equivalently, the mixed / non-mixed state of the current page's content?

推荐答案

它看起来像是Mozilla的CSP（内容安全策略） ），在Firefox 4中实现，部分解决了这个问题。它可以将您网站上加载的内容限制为仅限SSL端口，并在浏览器尝试加载非SSL内容时将报告发送回指定的URL。到目前为止仅在Firefox 4中，但我们有足够的FF4用户，这可以作为一个体面的预警系统。

It looks like Mozilla's CSP (Content Security Policy), implemented in Firefox 4, partially solves this. It can limit content loaded on your site to only SSL ports, and send a report back to a specified URL when the browser attempts to load something non-SSL. It's only in Firefox 4 so far, but we have enough FF4 users that this can serve as a decent early warning system.

更新8/15：Chrome支持CSP太。我在生产中有效地使用它作为混合内容错误的预警系统。看起来大致如下：

Update 8/15: CSP is supported in Chrome too. I've used this effectively in production as an early-warning system for mixed content errors. It looks roughly like this:

X-WebKit-CSP-Report-Only：default-src https：'unsafe-inline''unsafe-eval'; report-uri / report_mixed_content; img-src https：// * data :; frame-src https：// * about：javascript：

X-WebKit-CSP-Report-Only: default-src https: 'unsafe-inline' 'unsafe-eval'; report-uri /report_mixed_content; img-src https://* data: ; frame-src https://* about: javascript:

请注意，这是一个非常宽松的标头，旨在仅捕获混合内容错误。您将要使用适用于Firefox的X-Content-Security-Policy。

Note that this is a very permissive header, intending to catch only mixed content errors. You'll want to use X-Content-Security-Policy for Firefox.

如果将此部署到用户的百分比，则只要您意外部署，就会获得日志混合内容错误。为了使这对Selenium测试有效，你必须为/ report_mixed_content添加一个特殊的测试模式处理程序，导致测试失败。

If you deploy this to a percentage of your users you'll get logs whenever you accidentally deploy a mixed content error. To make this effective for Selenium tests you'd have to add a special test-mode handler for /report_mixed_content that causes the test to fail.

对于内部用户，我有这始终在强制模式下启用（删除-Report-Only）。这有助于确保其他开发人员在部署新功能之前发现混合内容错误。

For internal users, I have this always enabled in enforce mode (remove the -Report-Only). This helps make sure other developers notice mixed content errors in new features before they get deployed.

这篇关于从Javascript中检测损坏的锁定图标（混合安全/不安全内容）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！