Mixed Content: The page at was loaded over HTTPS, but requested an insecure image.

Make the browser no longer display the HTTP request alert in the HTTPS page

As HTTP over secure socket layer is an HTTP channel aiming at security, so HTTP requests are not allowed on the pages hosted by HTTPS. Once they appear, they will be prompted or an error will be reported

Mixed Content: The page at ‘ https://www.taobao.com/ ‘ was loaded over HTTPS, but requested an insecure image ‘ http://g.alicdn.com/s.gif ’. This content should also be served over HTTPS.

After the transformation of HTTPS, we can see the following alerts in many pages:

Many operators have no technical concept of HTTPS, so HTTP resources are unavoidable in the data filled in. The system is huge, and negligence and loopholes are inevitable.

CSP set upgrade insure requests

Fortunately, the W3C working group took into account the difficulty of upgrading HTTPS. In April 2015, it published a upgrade secure requests draft, which is to let the browser automatically upgrade requests.

In the response header of our server, add:

header("Content-Security-Policy: upgrade-insecure-requests");

Our page is HTTPS, and this page contains a large number of HTTP resources (pictures, iframes, etc.). Once the above response header is found on the page, it will be automatically replaced by an HTTPS request when loading HTTP resources. You can see a demo provided by Google

However, what is puzzling is that this resource has made two requests, which are supposed to be a bug in the browser implementation

Of course, if it is not convenient for us to operate on the server/nginx, we can also add the meta header to the page:

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests" /&>

At present, only chrome 43.0 supports this setting, but I believe that CSP will become the content that web front-end security pays great attention to and uses in the future. The upgrade insure requests draft will soon enter RFC mode.

From the example given by W3C working group, we can see that this setting will not deal with a link of foreign domain, so it can be used safely.

Buy me a cup of coffee 🙂

Similar Posts: