問題描述

假設(shè)下面的頁面是從 https://127.0.100.1 加載的.該頁面向 http://127.0.100.2 發(fā)出 XMLHttpRequest.這似乎是混合內(nèi)容:頁面通過安全連接加載，資源通過不安全連接加載.混合內(nèi)容應(yīng)被瀏覽器阻止.然而，下面的頁面運行良好.* 為什么會運行:為什么請求沒有被阻止?

Suppose the page below is loaded from https://127.0.100.1. The page makes an XMLHttpRequest to http://127.0.100.2. This seems like mixed content: The page is loaded over a secure connection and a resource is loaded over an insecure connection. Mixed content should be blocked by the browser. Yet, the page below works just fine.* Why does it work: Why isn't the request blocked?

更新:超越接受的答案，瀏覽器可以配置來阻止此類地址的混合內(nèi)容.

Update: Going beyond the accepted answer, browsers can be configured to block mixed content for such addresses.

^{* Wireshark 確認(rèn)瀏覽器沒有通過安全連接加載資源.}

<html>
<body>
<img id="dst"/>
<script>
  let xhr = new XMLHttpRequest();
  xhr.open('get', 'http://127.0.100.2/img.jpg');
  xhr.responseType = 'blob';
  xhr.onload = function(){
    document.getElementById('dst').src = URL.createObjectURL(xhr.response);    
  }
  xhr.send();
</script>
</body>
</html>

推薦答案

http://127.0.100.2/img.jpg 不被視為混合內(nèi)容，因為混合內(nèi)容規(guī)范將其定義為先驗認(rèn)證 URL，因為它在 127.0.0.0 - 127.255.255.255 范圍內(nèi)(即具有 CIDR 表示法 127.0.0.0/8 的主機)，根據(jù)安全上下文規(guī)范被定義為安全上下文——即使協(xié)議不是 https.

http://127.0.100.2/img.jpg isn’t considered mixed content because the Mixed Content spec defines it as a special case of an a priori authenticated URL, due to it being in the range 127.0.0.0 - 127.255.255.255 (that is, a host with the CIDR notation 127.0.0.0/8), which per the Secure Contexts spec is defined as a secure context — even if the protocol isn’t https.

http://localhost/img.jpg 或 http://foo.localhost/img.jpg

這篇關(guān)于從 HTTPS 頁面到 HTTP(非 HTTPS)本地主機地址的混合內(nèi)容請求未被阻止的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網(wǎng)！