阻止所有混合内容 [英] Block all mixed content

问题描述

如何完全阻止任何混合内容加载？

How do I completely prevent any mixed content from loading?

目前的浏览器已经阻止活动混合内容（脚本）。我真正想要的是阻止所有这些，包括图像。

Current browsers are already blocking active mixed content (scripts). What I really want is to block all of it including images.

这样做的目的是立即将每个违规图像或文件视为损坏，但不是地址栏中的模糊警告。

Purpose of this is to immediately see every offending image or file as broken, but not as an ambiguous warning in the address bar.

有没有跨浏览器的方式呢？

Is there a cross-browser way to do that?

推荐答案

严格阻止所有混合内容的标准方法： block-all-mixed-content CSP指令。

The standard way to strictly block all mixed content: block-all-mixed-content CSP directive.

在最简单的情况下，如果您没有设置其他CSP指令，它只需发送此标题：

In the simplest case if you’re not setting other CSP directives, it requires just sending this header:

Content-Security-Policy: block-all-mixed-content

由于并非每个浏览器都支持此指令，因此发送扩展标题而不是：

Since not every browser support this directive, it may be feasible to send an extended header instead:

Content-Security-Policy: img-src https: data:

其他选项是强制所有普通的http请求通过https：

Other option is to force all plain http requests to go over https:

Content-Security-Policy: upgrade-insecure-requests

这篇关于阻止所有混合内容的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！