問題描述
假設下面的頁面是從 https://127.0.100.1 加載的.該頁面向 http://127.0.100.2 發出 XMLHttpRequest.這似乎是混合內容:頁面通過安全連接加載,資源通過不安全連接加載.混合內容應被瀏覽器阻止.然而,下面的頁面運行良好.* 為什么會運行:為什么請求沒有被阻止?
Suppose the page below is loaded from https://127.0.100.1. The page makes an XMLHttpRequest to http://127.0.100.2. This seems like mixed content: The page is loaded over a secure connection and a resource is loaded over an insecure connection. Mixed content should be blocked by the browser. Yet, the page below works just fine.* Why does it work: Why isn't the request blocked?
更新:超越接受的答案,瀏覽器可以配置來阻止此類地址的混合內容.
Update: Going beyond the accepted answer, browsers can be configured to block mixed content for such addresses.
* Wireshark 確認瀏覽器沒有通過安全連接加載資源.
推薦答案
http://127.0.100.2/img.jpg 不被視為混合內容,因為混合內容規范將其定義為先驗認證 URL,因為它在 127.0.0.0 - 127.255.255.255 范圍內(即具有 CIDR 表示法 127.0.0.0/8 的主機),根據安全上下文規范被定義為安全上下文——即使協議不是 https.
http://127.0.100.2/img.jpg isn’t considered mixed content because the Mixed Content spec defines it as a special case of an a priori authenticated URL, due to it being in the range 127.0.0.0 - 127.255.255.255 (that is, a host with the CIDR notation 127.0.0.0/8), which per the Secure Contexts spec is defined as a secure context — even if the protocol isn’t https.
http://localhost/img.jpg 或 http://foo.localhost/img.jpg
這篇關于從 HTTPS 頁面到 HTTP(非 HTTPS)本地主機地址的混合內容請求未被阻止的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!