Chrome iFrame阻止HTTPS重定向 [英] Chrome iFrame Block HTTPS redirect
问题描述
我有一个父网站: https://a.company.com ,其中包含一个带有https内容的iframe( https: //b.company.com/foo )到目前为止一切都很愉快。但是,当发生重定向以在同一域上加载不同的路由时,chrome将其阻止为混合内容错误。
在网络流量中查看请求确认浏览器正在请求 https ,但Chrome仍然取消请求,因为我无法加载混合( http )内容。
I've got a parent site : https://a.company.com, which contains an iframe with https content (https://b.company.com/foo) and everything is happy so far. But, when a redirect occurs to load a different route on that same domain, chrome blocks it as a mixed content error.
Viewing the request in the network traffic confirms that the browser is requesting https, yet chrome still cancels the request citing that I can't load mixed (http) content.
到目前为止所有搜索都让我试图加载混合内容的人不是这里的情况。
All searching has got me so far is to people trying to load mixed content which is not the case here.
作为参考,这是铬错误:
混合内容:' https://a.company/foo '是通过HTTPS加载的,但请求了一个不安全的资源http:/b.company/bar。此请求已被阻止;内容必须通过HTTPS提供。
For reference this is the chrome error: Mixed Content: The page at 'https://a.company/foo' was loaded over HTTPS, but requested an insecure resource 'http:/b.company/bar'. This request has been blocked; the content must be served over HTTPS.
实际的帧源是https:/b.company/foo,它可能重定向到https:/b.company/bar 。如果页面没有重定向,则不会发生错误。
The actual frame source is https:/b.company/foo which has a possible redirect to https:/b.company/bar. If the page does not redirect no error occurs.
推荐答案
旧问题但仍然相关,所以我会尝试回答这个问题。
Old question but still relevant so I will try to answer this.
如前所述:您不允许在https服务的网站中加载不安全的http内容,因为它会危及安全性。无论如何,如果你尝试这样做,Chrome会阻止它并抛出前面提到的错误。
As previously stated: You are not allowed to load unsafe http-content within a https-served website since it would compromise the security. If you try to do it anyway, Chrome will prevent it and throw the before mentioned error.
确保您确实通过https请求的第一步是检查 iframe 中的URL,应如下所示:
The first step to ensure that you are indeed requesting via https is to check the URL in the iframe, which should look like this:
<iframe src="https://foobar.com"></iframe>
↑
this needs to be https
现在获取确切的URL并粘贴它可以进入任何浏览器,看看有哪些规则。如果以任何方式重定向,则可能在重定向之后或之间使用不安全的http连接。他们甚至可能有一个直接的https-to-http规则(不太可能)。还要检查控制台,因为他们可能会尝试在其https服务页面中加载不安全的内容,这可能会导致您的错误。如果您发现其中一件事但您无法访问服务器,那么您的旅程将在此结束,除非您想要提供的内容非常糟糕,以至于您愿意自己使用http。
Now take that exact URL and paste it into any browser to see what rules are in place. If you are redirected in any way it is possible that a unsafe http-connection is used after or in between the redirects. They might even have a straight https-to-http rule in place (unlikely). Also check the console since they might attempt to load unsafe content within their https-served page as well which could result in an error on your end. If you find one of those things but you have no access to the server your journey ends here unless you want to serve that content so badly that you are willing to use http yourself.
另一方面,如果您有权访问服务器,则可以删除这些重定向或检查其配置。由于有许多不同的Web服务器,操作系统和配置,我不会尝试提供一般教程,但使用您选择的搜索引擎应该不难找到。
If you, on the other hand, have access to the server you could remove those redirects or check their configuration. Since there are many different web-servers, operating systems and configurations I won't attempt to give a general tutorial but it shouldn't be hard to find with the search engine of your choosing.
一般来说:如果您要加载的内容仅通过https投放,则可以使用。
当所有内容都在浏览器似乎工作正常(没有可见的重定向),你仍然得到你可以使用 Wireshark 或其他工具的错误记录您的流量。它可能是一个配置错误的https,以某种方式搞砸了Chrome不喜欢的握手。将这些日志发布到SO或共享您要在 iframe 中显示的网站,以便我们可以进一步分析,因为它不太可能存在一般解决方案。
When everything in the browser seems to work correctly (no visible redirects) and you still get the error you could use Wireshark or other tools to log your traffic. It could be a misconfigured https that messes up the handshake in some way Chrome doesn't like. Post those logs on SO or share the website you want to display in your iframe so we can analyze it further since it is unlikely that there is a general solution.
这篇关于Chrome iFrame阻止HTTPS重定向的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
