目录搜索
GuidesAccess control CORSAuthenticationBrowser detection using the user agentCachingCaching FAQCompressionConditional requestsConnection management in HTTP 1.xContent negotiationContent negotiation: List of default Accept valuesCookiesCSPMessagesOverviewProtocol upgrade mechanismProxy servers and tunnelingProxy servers and tunneling: Proxy Auto-Configuration (PAC) filePublic Key PinningRange requestsRedirectionsResources and specificationsResources and URIsResponse codesServer-Side Access ControlSessionGuides: BasicsBasics of HTTPChoosing between www and non-www URLsData URIsEvolution of HTTPIdentifying resources on the WebMIME TypesMIME types: Complete list of MIME typesCSPContent-Security-PolicyContent-Security-Policy-Report-OnlyCSP: base-uriCSP: block-all-mixed-contentCSP: child-srcCSP: connect-srcCSP: default-srcCSP: font-srcCSP: form-actionCSP: frame-ancestorsCSP: frame-srcCSP: img-srcCSP: manifest-srcCSP: media-srcCSP: object-srcCSP: plugin-typesCSP: referrerCSP: report-uriCSP: require-sri-forCSP: sandboxCSP: script-srcCSP: style-srcCSP: upgrade-insecure-requestsCSP: worker-srcHeadersAcceptAccept-CharsetAccept-EncodingAccept-LanguageAccept-RangesAccess-Control-Allow-CredentialsAccess-Control-Allow-HeadersAccess-Control-Allow-MethodsAccess-Control-Allow-OriginAccess-Control-Expose-HeadersAccess-Control-Max-AgeAccess-Control-Request-HeadersAccess-Control-Request-MethodAgeAllowAuthorizationCache-ControlConnectionContent-DispositionContent-EncodingContent-LanguageContent-LengthContent-LocationContent-RangeContent-TypeCookieCookie2DateDNTETagExpectExpiresForwardedFromHeadersHostIf-MatchIf-Modified-SinceIf-None-MatchIf-RangeIf-Unmodified-SinceKeep-AliveLarge-AllocationLast-ModifiedLocationOriginPragmaProxy-AuthenticateProxy-AuthorizationPublic-Key-PinsPublic-Key-Pins-Report-OnlyRangeRefererReferrer-PolicyRetry-AfterServerSet-CookieSet-Cookie2SourceMapStrict-Transport-SecurityTETkTrailerTransfer-EncodingUpgrade-Insecure-RequestsUser-AgentUser-Agent: FirefoxVaryViaWarningWWW-AuthenticateX-Content-Type-OptionsX-DNS-Prefetch-ControlX-Forwarded-ForX-Forwarded-HostX-Forwarded-ProtoX-Frame-OptionsX-XSS-ProtectionMethodsCONNECTDELETEGETHEADMethodsOPTIONSPATCHPOSTPUTStatus100 Continue101 Switching Protocols200 OK201 Created202 Accepted203 Non-Authoritative Information204 No Content205 Reset Content206 Partial Content300 Multiple Choices301 Moved Permanently302 Found303 See Other304 Not Modified307 Temporary Redirect308 Permanent Redirect400 Bad Request401 Unauthorized403 Forbidden404 Not Found405 Method Not Allowed406 Not Acceptable407 Proxy Authentication Required408 Request Timeout409 Conflict410 Gone411 Length Required412 Precondition Failed413 Payload Too Large414 URI Too Long415 Unsupported Media Type416 Range Not Satisfiable417 Expectation Failed426 Upgrade Required428 Precondition Required429 Too Many Requests431 Request Header Fields Too Large451 Unavailable For Legal Reasons500 Internal Server Error501 Not Implemented502 Bad Gateway503 Service Unavailable504 Gateway Timeout505 HTTP Version Not Supported511 Network Authentication RequiredStatus
文字

HTTP Content-Security-Policy(CSP)upgrade-insecure-requests指令指示用户代理将所有站点的不安全URL(通过HTTP提供的URL)视为已被替换为安全URL(通过HTTPS提供的URL)。此指令适用于需要重写大量不安全的旧版URL的网站。

upgrade-insecure-requests指令在之前被评估block-all-mixed-content,如果被设置,后者实际上是没有操作的。建议设置一个指令或另一个指令,但不能同时设置。

upgrade-insecure-requests指令不会确保通过第三方网站上的链接访问您的网站的用户将升级到顶级导航的HTTPS,因此不会替代Strict-Transport-Security(HSTS)标头,该标头仍应设置适当的标头max-age以确保用户不会受到SSL剥离攻击。

句法

Content-Security-Policy: upgrade-insecure-requests;

示例

// headerContent-Security-Policy: upgrade-insecure-requests;// meta tag<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

通过将上述标头设置在域example.com上并希望从HTTP迁移到HTTPS,非导航不安全资源请求会自动升级(第一方以及第三方请求)。

<img src="http://example.com/image.png"><img src="http://not-example.com/image.png">

这些 URL 将在请求发生之前被重写,这意味着没有不安全的请求会触及网络。请注意,如果请求的资源通过 HTTPS 实际上不可用,则该请求将失败,而不会返回到 HTTP。

<img src="https://example.com/image.png"><img src="https://not-example.com/image.png">

导航升级到第三方资源会带来更高的破损潜力,但这些升级并不会升级:

<a href="https://example.com/">Home</a><a href="http://not-example.com/">Home</a>

发现不安全的请求

借助Content-Security-Policy-Report-Only标题和report-uri指令,您可以设置强制策略和报告策略,如下所示:

Content-Security-Policy: upgrade-insecure-requests; default-src https: Content-Security-Policy-Report-Only: default-src https:; report-uri /endpoint

这样,您仍会在安全网站上升级不安全的请求,但唯一的监控策略被违反并向您的端点报告不安全的资源。

规范

规范

状态

评论

升级不安全的请求在该规范中定义了“ upgrade-insecure-requests ”。

候选推荐

初始定义。

浏览器兼容性

特征

Chrome

Firefox

Edge

Internet Explorer

Opera

Safari

基本支持

43

42.0

(No)1

(No)

30

(No)

特征

Android

Chrome for Android

Edge mobile

Firefox for Android

IE mobile

Opera Android

iOS Safari

基本支持

?

43

(No)

42.0

(No)

?

(No)

上一篇:下一篇: