启用带有HTTP标头的最新Chrome和Firefox中的混合内容加载
[英]Enable mixed content loading in latest Chrome and firefox with http headers
问题描述
I have a website that has to be served under HTTPS 
我有一个必须在HTTPS下提供服务的网站
However, there is a section of the site that displays BBC news stories within an iframe which is in a popup window. 但是,该网站的一部分在弹出窗口的iframe中显示BBC新闻报道。 Here the content is not shown as both browsers say the BBC content is insecure (iemixed content). 此处未显示内容,因为两个浏览器都说BBC内容不安全(即混合内容)。
I have tried setting the header Content-Security-Policy : to 我尝试将标题Content-Security-Policy设置为
"default-src 'self' *.my_domian.net http://*.my_domian.net http://*.bbc.co.uk *.fonts.com 'unsafe-inline' 'unsafe-eval';"
Which has an effect on other content so it is working. 它对其他内容有影响,因此可以正常工作。 I have also checked the headers are sent. 我还检查了标头已发送。
However, both Chrome and Firefox continue to tell me the BBC content is insecure and it isn't shown in the iframe. 但是,Chrome和Firefox都继续告诉我BBC内容不安全,并且未在iframe中显示。
Is it possible to allow content from bbc.co.uk on a secure site ? 是否可以在安全网站上允许bbc.co.uk的内容? Have I miss understood the purpose of Content-Security-Policy ? 我是否想念过Content-Security-Policy的目的?
I have also tried frame-src in the header with no luck. 我也尝试了在头文件中没有好运的frame-src 。
Thanks 谢谢
1 个解决方案
解决方案1
0 2016-02-26 17:10:53
CSP level 2 is already being applied in Chrome, and level 2 has additional frame handling. CSP 2级已在Chrome中应用,并且2级具有其他框架处理功能。
see here: https://www.w3.org/TR/CSP2/#directive-frame-ancestors and here: https://www.w3.org/TR/CSP2/#directive-frame-src 参见此处: https : //www.w3.org/TR/CSP2/#directive-frame-ancestors和此处: https : //www.w3.org/TR/CSP2/#directive-frame-src
frame-src is being deprecated, user frame-ancestors frame-src被弃用,用户frame-ancestors
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.