Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

能否在请求头部加上 Upgrade-Insecure-Requests ? #2

Closed
ivysrono opened this issue Feb 25, 2017 · 6 comments
Closed

能否在请求头部加上 Upgrade-Insecure-Requests ? #2

ivysrono opened this issue Feb 25, 2017 · 6 comments

Comments

@ivysrono
Copy link

ivysrono commented Feb 25, 2017

功能来自:UpgradeMixedContent 扩展

相关讨论:
EFForg/https-everywhere#8506
fengyc/URLRedirector#15

文档 https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Upgrade-Insecure-Requests

简述:
main_frame 为 https 但页内有 http 资源时,浏览器会默认禁止主动性资源如 JS,目前还会放行被动型资源如 image,这一行为由浏览器完成,扩展基本不能干预。
UpgradeMixedContent 扩展提供了目前仅见的干预思路:给所有的 http 资源插入一个 upgrade-insecure-requests ,这样浏览器就会尝试用 https 来访问本会被 MCB 的资源。
缺陷:
UpgradeMixedContent 扩展是默认全局使用的,于是部分资源,主要是图片就会被破坏,如 好奇心日报
该扩展作者是个极端派,他认为没有加密的资源就不应该被载入。

现状:
Chrome 有了黑名单版的专用扩展:https://github.com/gloomy-ghost/UpgradeMixedContent
我为其维护了一个在线黑名单:https://github.com/ivysrono/UpgradeMixedContentBlacklist
目前 Firefox 上尚无可用实现。

@ivysrono ivysrono changed the title 能够在请求头部加上 Upgrade-Insecure-Requests ? 能否在请求头部加上 Upgrade-Insecure-Requests ? Feb 25, 2017
@sylingd
Copy link
Member

sylingd commented Feb 26, 2017

working in process

@ivysrono
Copy link
Author

ivysrono commented Mar 8, 2017

@sylingd 才发现有release 1.0 的,下下来改了改自签名,终于成功安装,但打开管理页面,很茫然了,不知道怎么设置。
建议尽快上传AMO,不愿意的话,release里面请提供已经签名版本。
最重要的是,多提供点文档范例吧,不然依葫芦画瓢都做不到……

@sylingd
Copy link
Member

sylingd commented Mar 9, 2017

AMO已经上传,但是审核很慢。要签名似乎必须要过审。预计本月中旬或者下旬可以过审

@ivysrono
Copy link
Author

ivysrono commented Mar 9, 2017

单纯签名不需要过审,上传的时候选第二个选项,不在amo分发,就会秒签名。

@sylingd
Copy link
Member

sylingd commented Mar 9, 2017

因为打算在AMO上架,所以不清楚选择第二项会不会有什么不良后果。因此还是等审核吧。或许更新的时候审核会比较快

@ivysrono
Copy link
Author

ivysrono commented Mar 9, 2017

没有任何不良后果,因为必须另外取名,比方说xxx-offline

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants