As HTTP over secure socket layer is an HTTP channel aiming at security, so HTTP requests are not allowed on the pages hosted by HTTPS. Once they appear, they will be prompted or an error will be reported
jquery.min.js:2 Mixed Content: The page at 'https://www.qqzsh.top/getDetail?id=44' was loaded over HTTPS, but requested an insecure image 'http://images.qqzsh.top/41403a8d69464a67b8aedeb3dbe70d18'. This content should also be served over HTTPS.
Many operators have no technical concept of HTTPS, so HTTP resources are unavoidable in the filled data, and negligence and loopholes are inevitable
solution 1: CSP set upgrade insure requests to
Considering the difficulty of upgrading HTTPS, W3C working group published a draft of upgrade insure requests in April 2015( http://www.w3.org/TR/mixed-content/ )Its function is to let the browser automatically upgrade the request
in the response header of our server, add:
server {
...
add_header Content-Security-Policy upgrade-insecure-requests;
...
}
can also be inserted into nginx configuration file
Our page is HTTPS, and this page contains a large number of HTTP resources (pictures, iframes, etc.). Once the above response header is found on the page, it will be automatically replaced by an HTTPS request when loading HTTP resources
Method 2: add a meta header to the
page
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests" />
At present, only chrome 43.0 supports this setting, but I believe that CSP will become the content that web front-end security pays great attention to and uses in the future. The draft upgrade insure requests will soon enter RFC mode