Chrome或FireFox可以强制执行https请求而不是http请求吗?
[英]Can Chrome or FireFox force https request instead of http request?
问题描述
I have pretty strange situation. 
我的情况很奇怪。 I'm working on domain example.net and some of its pages are delivered via https and some over http (but http resources can be accessed using https too). 我正在使用example.net域,它的某些页面是通过https传递的,有些是通过http传递的(但是也可以使用https访问http资源)。 When I access page http://example.net/page1.html delivered using http protocol Chrome executes HTTP request. 当我访问使用http协议传送的页面http://example.net/page1.html时, Chrome会执行HTTP请求。 Then, when I access https://example.net/page2.html via HTTPS Chrome executes HTTPS request. 然后,当我通过HTTPS访问https://example.net/page2.html时 ,Chrome执行HTTPS请求。 Till now everything is as it should be. 到现在为止一切都应该是应该的。 I then try to access http://example.net/page1.html via HTTP but Chrome executes HTTPS request. 然后,我尝试通过HTTP访问http://example.net/page1.html ,但Chrome执行HTTPS请求。
My first thought was that http://example.net/page1.html redirects to https://example.net/page1.html but this is not the case. 我首先想到的是http://example.net/page1.html重定向到https://example.net/page1.html,但事实并非如此。 Here's list of things I've checked: 这是我检查过的东西的清单:
- in 'Network' tab in Web Developer Tools when accessing http://example.net/page1.html (for the second time) I see entry for http request that has 'Finished' status, 'Other' in initiator column, 13 bytes and it's finished in 5 ms (other requests to the host are in 150ms+ range) - clearly Chrome cancels the request. 在第二次访问http://example.net/page1.html时,在Web开发人员工具的“网络”标签中,我看到http请求的条目具有“完成”状态,在发起方列中为“其他”,为13个字节并在5毫秒内完成(对主机的其他请求在150毫秒以上的范围内)-很明显,Chrome取消了该请求。 The request is followed by https://example.net/page1.html request. 该请求之后是https://example.net/page1.html请求。
- I've confirmed using Wireshark that first packet sent to the example.net server when accessing http://example.net/page1.html for the second time is to port 443, so it's not the server that does the redirect to force https. 我已经使用Wireshark确认,第二次访问http://example.net/page1.html时,发送到example.net服务器的第一个数据包是端口443,因此不是由服务器执行重定向以强制使用https 。
- switching to 'Private browsing' mode does not help, http requests are still changed to https requests, 切换到“私人浏览”模式无济于事,http请求仍更改为https请求,
- I don't have HTTPS Everywhere or anything similar installed, 我没有在任何地方安装HTTPS或类似工具,
- wiping out browser history seems to do the trick, however I need to figure out why Chrome and FF insist on https, 清除浏览器历史记录似乎可以解决问题,但是我需要弄清楚为什么Chrome和FF坚持使用https,
- other web servers seem to work fine and I'm free to switch between http and https, 其他网络服务器似乎工作正常,我可以在http和https之间自由切换,
- IE does not force https. IE不会强制使用https。
Is there some new security policy, server header etc. that forces Chrome and FireFox to force https after browser finds out that server responds to https? 浏览器发现服务器响应https后,是否有一些新的安全策略,服务器标头等强制Chrome和FireFox强制https? I'm working on newest Chrome (33.0.1750.154) and FF (28.0). 我正在使用最新的Chrome(33.0.1750.154)和FF(28.0)。
1 个解决方案
解决方案1
2 已采纳 2014-04-01 20:04:04
As it turns out there's a header web server can set during HTTPS response to tell browser to force HTTPS on all requests. 事实证明,可以在HTTPS响应期间设置标头Web服务器,以告诉浏览器在所有请求上强制使用HTTPS。 You can read more about it here HTTP Strict Transport Security 您可以在此处了解更多有关HTTP严格传输安全性的信息
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.