http到https - 使浏览器请求http URL的相应https URL,而无需编辑所有页面并手动将所有URL更改为https? [英] http to https - Make browser request corresponding https URLs for http URLs, without needing to edit all pages and manually change all URLs to https?
问题描述
我有兴趣将整个网站从http转换为https。
I am interested in switching my entire site from http over to https.
我担心的是我有一些使用绝对http网址的内容。
My concern is that I have some content that uses absolute http URLs.
我需要编辑每个页面才能将这些URL更改为相对,但这可能需要一段时间才能完成。
I will need to edit each page in order to change those URLs to relative but that might take me a while to accomplish.
我想知道的是,是否有办法通过Google跟踪代码管理器使用Javascript,以便将本地绝对网址重写为HTTPS而不是HTTP?
What I would like to know is if there is a way to use Javascript via the Google Tag Manager in order to re-write local absolute URLs to be HTTPS and not HTTP?
如果可能的话,它是否可以用作永久性解决方案?
If this is possible, could it be used as a permanent solution?
推荐答案
需要考虑的一个解决方案是内容安全政策 upgrade-insecure-requests 指令。
One solution to consider is the Content Security Policy upgrade-insecure-requests directive.
升级-insecure-requests指令指示用户代理
将所有网站的不安全URL(通过HTTP提供的URL)视为
,尽管它们已被安全URL替换(提供服务的URL)
HTTPS)。该指令适用于需要重写大量
不安全遗留URL的网站。
The
upgrade-insecure-requestsdirective instructs user agents to treat all of a site's unsecure URL's (those served over HTTP) as though they have been replaced with secure URL's (those served over HTTPS). This directive is intended for web sites with large numbers of unsecure legacy URL's that need to be rewritten.
它是相当于配置您的Web服务器,以便您的网站上的所有页面都使用此标头提供:
It’d amount to configuring your Web server so all pages on your site get served with this header:
Content-Security-Policy: upgrade-insecure-requests
因此,添加该标题的效果将是:对于您网站上的任何网页,一个 https URL,只要浏览器在其中一个页面中看到嵌入式(子)资源的 http URL - 无论是样式表,脚本,图像,视频等的URL,浏览器都会自动(透明地)尝试从相应的 https URL中获取资源。
So the effect of adding that header would be: for any page at your site served with an https URL, any time a browser sees in one of those pages an http URL for an embedded (sub)resource —whether it be a URL for a stylesheet, script, image, video, or whatever—the browser will automatically (transparently) try to fetch the resource from the corresponding https URL instead.
有关详细信息,请参阅升级不安全请求规范。
For more details, you can see the Upgrade Insecure Requests spec.
2018 -05-11更新
现在所有专业都支持 upgrade-insecure-requests 指令浏览器引擎(包括Edge 17+和Safari 10.3 +):
The upgrade-insecure-requests directive is now supported in all major browser engines (including Edge 17+ and Safari 10.3+):
https://caniuse.com/#feat=upgradeinsecurerequests
现在使用它的缺点是,到目前为止它只支持在Firefox(自Firefox 42 )和Chrome中。但它也是:
The downside of using it now is, so far it’s only supported in Firefox (since Firefox 42) and Chrome. But it also:
- has an open Safari/WebKit implementation-tracking/feature bug
- is under consideration by Microsoft for implementation in Edge
PS,我在W3C工作,我们最近(最终)启用了对所有W3C站点资源的TLS / https访问 - 并且由于W3C拥有数十万(可能是数百万)页面 http 嵌入式子资源的URL,我们能够实现它的方式部分是通过提供 Content-Security-Policy:upgrade-insecure-requests 整个网站的标题。
P.S., I work at the W3C, where we recently (finally) enabled TLS/https access to all W3C site resources—and since the W3C has hundreds of thousands (maybe millions) of pages with http URLs for embedded subresources, the way we were able to make it happen was in part by serving the Content-Security-Policy: upgrade-insecure-requests header across the entire site.
文章在w3.org上支持HTTPS和HSTS 提供了有关部署详细信息的更多信息。
The article Supporting HTTPS and HSTS on w3.org gives more info about the deployment details.
这篇关于http到https - 使浏览器请求http URL的相应https URL,而无需编辑所有页面并手动将所有URL更改为https?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
