"Upgrade-Insecure-Requests" HTTP header 是什么?
What is the "Upgrade-Insecure-Requests" HTTP header?
我向 HTTP (non-HTTPS) 站点发出了 POST 请求,在 Chrome 的开发人员工具中检查了该请求,发现它添加了自己的 header 发送到服务器之前:
Upgrade-Insecure-Requests: 1
在 Upgrade-Insecure-Requests 上搜索后,我只能找到 information about the server sending this header:
Content-Security-Policy: upgrade-insecure-requests
这似乎相关,但仍然非常不同,因为在我的情况下,客户端在 Request 中发送 header,而我找到的所有信息关于服务器在 Response.
中发送相关的 header
那么为什么 Chrome (44.0.2403.130 m) 将 Upgrade-Insecure-Requests 添加到我的请求中,它有什么作用?
2016-08-24更新:
此 header 已被添加为 W3C Candidate Recommendation,现在已被官方认可。
对于刚刚遇到这个问题并感到困惑的人,Simon East 的 解释得很好。
Upgrade-Insecure-Requests: 1header以前是HTTPS: 1in the previous W3C Working Draft改名悄悄 Chrome 在更改被正式接受之前。
(这个问题是在这个过渡期间提出的,当时没有关于这个 header 的官方文档并且 Chrome 是唯一发送这个 header 的浏览器。)
简短回答:它与 Content-Security-Policy: upgrade-insecure-requests 响应 header 密切相关,表明浏览器支持它(实际上更喜欢它)。
我用了 30 分钟的谷歌搜索,但我终于在 W3 规范中找到了它。
混淆是因为规范中的 header 是 HTTPS: 1,这就是 Chromium 实现它的方式,但是在此之后 broke lots of websites that were poorly coded(特别是 WordPress 和 WooCommerce)Chromium 团队道歉:
"I apologize for the breakage; I apparently underestimated the impact based on the feedback during dev and beta."
— Mike West, in Chrome Issue 501842
他们的解决方法是将其重命名为 Upgrade-Insecure-Requests: 1,此后规范已更新以匹配。
无论如何,这里是the W3 spec (as it appeared at the time)...
的解释
The HTTPS HTTP request header field sends a signal to the server expressing the client’s preference for an encrypted and authenticated response, and that it can successfully handle the upgrade-insecure-requests directive in order to make that preference as seamless as possible to provide.
...
When a server encounters this preference in an HTTP request’s headers, it SHOULD redirect the user to a potentially secure representation of the resource being requested.
When a server encounters this preference in an HTTPS request’s headers, it SHOULD include a Strict-Transport-Security header in the response if the request’s host is HSTS-safe or conditionally HSTS-safe [RFC6797].
这解释了整个事情:
The HTTP Content-Security-Policy (CSP) upgrade-insecure-requests
directive instructs user agents to treat all of a site's insecure URLs
(those served over HTTP) as though they have been replaced with secure
URLs (those served over HTTPS). This directive is intended for web
sites with large numbers of insecure legacy URLs that need to be
rewritten.
The upgrade-insecure-requests directive is evaluated before
block-all-mixed-content and if it is set, the latter is effectively a
no-op. It is recommended to set one directive or the other, but not
both.
The upgrade-insecure-requests directive will not ensure that users
visiting your site via links on third-party sites will be upgraded to
HTTPS for the top-level navigation and thus does not replace the
Strict-Transport-Security (HSTS) header, which should still be set
with an appropriate max-age to ensure that users are not subject to
SSL stripping attacks.
我向 HTTP (non-HTTPS) 站点发出了 POST 请求,在 Chrome 的开发人员工具中检查了该请求,发现它添加了自己的 header 发送到服务器之前:
Upgrade-Insecure-Requests: 1
在 Upgrade-Insecure-Requests 上搜索后,我只能找到 information about the server sending this header:
Content-Security-Policy: upgrade-insecure-requests
这似乎相关,但仍然非常不同,因为在我的情况下,客户端在 Request 中发送 header,而我找到的所有信息关于服务器在 Response.
中发送相关的 header那么为什么 Chrome (44.0.2403.130 m) 将 Upgrade-Insecure-Requests 添加到我的请求中,它有什么作用?
2016-08-24更新:
此 header 已被添加为 W3C Candidate Recommendation,现在已被官方认可。
对于刚刚遇到这个问题并感到困惑的人,Simon East 的
Upgrade-Insecure-Requests: 1header以前是HTTPS: 1in the previous W3C Working Draft改名悄悄 Chrome 在更改被正式接受之前。
(这个问题是在这个过渡期间提出的,当时没有关于这个 header 的官方文档并且 Chrome 是唯一发送这个 header 的浏览器。)
简短回答:它与 Content-Security-Policy: upgrade-insecure-requests 响应 header 密切相关,表明浏览器支持它(实际上更喜欢它)。
我用了 30 分钟的谷歌搜索,但我终于在 W3 规范中找到了它。
混淆是因为规范中的 header 是 HTTPS: 1,这就是 Chromium 实现它的方式,但是在此之后 broke lots of websites that were poorly coded(特别是 WordPress 和 WooCommerce)Chromium 团队道歉:
"I apologize for the breakage; I apparently underestimated the impact based on the feedback during dev and beta."
— Mike West, in Chrome Issue 501842
他们的解决方法是将其重命名为 Upgrade-Insecure-Requests: 1,此后规范已更新以匹配。
无论如何,这里是the W3 spec (as it appeared at the time)...
的解释The
HTTPSHTTP request header field sends a signal to the server expressing the client’s preference for an encrypted and authenticated response, and that it can successfully handle the upgrade-insecure-requests directive in order to make that preference as seamless as possible to provide....
When a server encounters this preference in an HTTP request’s headers, it SHOULD redirect the user to a potentially secure representation of the resource being requested.
When a server encounters this preference in an HTTPS request’s headers, it SHOULD include a
Strict-Transport-Securityheader in the response if the request’s host is HSTS-safe or conditionally HSTS-safe [RFC6797].
这解释了整个事情:
The HTTP Content-Security-Policy (CSP) upgrade-insecure-requests directive instructs user agents to treat all of a site's insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for web sites with large numbers of insecure legacy URLs that need to be rewritten.
The upgrade-insecure-requests directive is evaluated before block-all-mixed-content and if it is set, the latter is effectively a no-op. It is recommended to set one directive or the other, but not both.
The upgrade-insecure-requests directive will not ensure that users visiting your site via links on third-party sites will be upgraded to HTTPS for the top-level navigation and thus does not replace the Strict-Transport-Security (HSTS) header, which should still be set with an appropriate max-age to ensure that users are not subject to SSL stripping attacks.