堆栈内存溢出
  简体   繁体   English

具有相对URL的AJAX调用将通过HTTPS服务的网站的HTTP传递给

[英]AJAX calls with relative URLs are going to HTTP for a site served over HTTPS

 原文  2017-05-04 06:26:46       javascript/ ajax/ iis/ https/ relative-path

问题描述

We host our site on an IIS server behind a load balancer. 我们将站点托管在负载均衡器后面的IIS服务器上。 The LB performs SSL offloading and everything behind it talks HTTP. LB执行SSL卸载,其背后的所有内容都使用HTTP。

The issue is that AJAX requests in the served pages which point back to the same web server using relative URLs are attempting to connect over HTTP instead of HTTPS. 问题在于,使用相对URL指向同一Web服务器的服务页面中的AJAX请求正在尝试通过HTTP而不是HTTPS进行连接。 This fails our CSP policies and usually wouldn't render anyway due to mixed content. 这会使我们的CSP策略失效,并且由于内容混合,通常不会渲染。 If these URLs are resolved on the client's browser why would this be happening? 如果在客户端的浏览器中解析了这些URL,为什么会发生这种情况?

The URL currently looks like: 该URL当前如下所示: 

url: '/controller/someaction'

which on a page such as https://host/controller/action attempts to call http://host/controller/someaction 例如https:// host / controller / action等页面上的哪个试图调用http:// host / controller / someaction

If we use protocol relative paths: 如果我们使用协议相对路径: 

url: '//controller/someaction'

We lose the host completely and it attempts to call https://controller/someaction 我们完全失去了主机,它尝试调用https:// controller / someaction

There's an issue with setting upgrade-insecure-requests that currently causes an infinite redirect loop. 设置upgrade-insecure-requests存在一个问题,该问题当前会导致无限重定向循环。 This is a likely fix to the issue long term but adding that response header introduces more problems than it solves in the short term. 从长远来看,这可能是解决问题的方法,但是添加响应头会带来比短期内解决的问题更多的问题。 There could be a hack involving ajaxSetup/beforeSend to modify the URL but that feels really dirty. 可能存在涉及ajaxSetup / beforeSend的黑客来修改URL,但这确实很脏。 We could go through the whole codebase and change URLs to 'https://' + windows.location.host + '/controller/someaction' but that feels dirty and time consuming. 我们可以遍历整个代码库,并将URL更改为'https://'+ windows.location.host +'/ controller / someaction',但这感觉很脏而且很耗时。

A search shows that the behaviour could be different if the URL (either current or requested) ends with a '/' but experiments have shown that we see the same behaviour in all combinations. 搜索表明,如果URL(当前URL或请求URL)以“ /”结尾,则行为可能会有所不同,但实验表明,在所有组合中我们都看到相同的行为。

Any idea why this is happening? 知道为什么会这样吗? We'd rather not change the SSL offloading behaviour but could if it's the only option. 我们宁愿不更改SSL卸载行为,但如果它是唯一的选择,则可以。

1 个解决方案

解决方案1
 0  2017-09-22 20:40:22

我最好的猜测是,禁用SSL卸载将为您解决此问题,负载平衡器背后的服务器无法知道将使用HTTPS进行响应,浏览器将阻止HTTP响应并迅速发展。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 API 数据超过 http 在通过 https 提供服务的站点中,脚本有“混合内容”错误 - API data over http in site served over https, script has “mixed content” error 通过 HTTP 而不是 HTTPs 服务的 API 调用导致 React/Axios 出错 - API calls served over HTTP instead of HTTPs results in error in React/Axios 在Https站点中处理Http呼叫 - Handling Http Calls in Https Site HTTPS 站点:通过 HTTP 加载外部 CSS - HTTPS Site: Load an external CSS over HTTP AJAX 请求通过 http 默认为 https - AJAX request over http defaulting to https 作为通过 HTTPS 提供的服务,在同一域但不同端口上通过 HTTP 提供页面是否有任何安全隐患? - Are there any security implications of serving a page over HTTP on the same domain, but different port, as a service served over HTTPS? Deezer内容通过HTTP提供 - Deezer content is served over HTTP AJAX请求中的相对URL - Relative URLs in AJAX requests 来自Codeigniter网站上的Javascript文件中通过HTTP提供的内容不安全的内容警告 - Insecure Content Warning for content served over http from Javascript File on Codeigniter Site 如何使用jquery从HTTP到HTTPS WS进行Ajax调用 - How to make ajax calls from HTTP to HTTPS WS using jquery
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM