从 HTTPS 页面到 HTTP(非 HTTPS)本地主机地址的混合内容请求未被阻止

Mixed-content request from HTTPS page to HTTP (non-HTTPS) localhost address not blocked(从 HTTPS 页面到 HTTP(非 HTTPS)本地主机地址的混合内容请求未被阻止)

问题描述

假设下面的页面是从 https://127.0.100.1 加载的.该页面向 http://127.0.100.2 发出 XMLHttpRequest.这似乎是混合内容:页面通过安全连接加载，资源通过不安全连接加载.混合内容应被浏览器阻止.然而，下面的页面运行良好.* 为什么会运行:为什么请求没有被阻止?

Suppose the page below is loaded from https://127.0.100.1. The page makes an XMLHttpRequest to http://127.0.100.2. This seems like mixed content: The page is loaded over a secure connection and a resource is loaded over an insecure connection. Mixed content should be blocked by the browser. Yet, the page below works just fine.* Why does it work: Why isn't the request blocked?

更新:超越接受的答案，浏览器可以配置来阻止此类地址的混合内容.

Update: Going beyond the accepted answer, browsers can be configured to block mixed content for such addresses.

^{* Wireshark 确认浏览器没有通过安全连接加载资源.}

<html>
<body>
<img id="dst"/>
<script>
  let xhr = new XMLHttpRequest();
  xhr.open('get', 'http://127.0.100.2/img.jpg');
  xhr.responseType = 'blob';
  xhr.onload = function(){
    document.getElementById('dst').src = URL.createObjectURL(xhr.response);    
  }
  xhr.send();
</script>
</body>
</html>

推荐答案

http://127.0.100.2/img.jpg 不被视为混合内容，因为混合内容规范将其定义为先验认证 URL，因为它在 127.0.0.0 - 127.255.255.255 范围内(即具有 CIDR 表示法 127.0.0.0/8 的主机)，根据安全上下文规范被定义为安全上下文——即使协议不是 https.

http://127.0.100.2/img.jpg isn’t considered mixed content because the Mixed Content spec defines it as a special case of an a priori authenticated URL, due to it being in the range 127.0.0.0 - 127.255.255.255 (that is, a host with the CIDR notation 127.0.0.0/8), which per the Secure Contexts spec is defined as a secure context — even if the protocol isn’t https.

http://localhost/img.jpg 或 http://foo.localhost/img.jpg

这篇关于从 HTTPS 页面到 HTTP(非 HTTPS)本地主机地址的混合内容请求未被阻止的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持编程学习网！