-
Notifications
You must be signed in to change notification settings - Fork 327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
能否在请求头部加上 Upgrade-Insecure-Requests ? #2
Comments
ivysrono
changed the title
能够在请求头部加上 Upgrade-Insecure-Requests ?
能否在请求头部加上 Upgrade-Insecure-Requests ?
Feb 25, 2017
working in process |
@sylingd 才发现有release 1.0 的,下下来改了改自签名,终于成功安装,但打开管理页面,很茫然了,不知道怎么设置。 |
AMO已经上传,但是审核很慢。要签名似乎必须要过审。预计本月中旬或者下旬可以过审 |
单纯签名不需要过审,上传的时候选第二个选项,不在amo分发,就会秒签名。 |
因为打算在AMO上架,所以不清楚选择第二项会不会有什么不良后果。因此还是等审核吧。或许更新的时候审核会比较快 |
没有任何不良后果,因为必须另外取名,比方说xxx-offline |
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
功能来自:UpgradeMixedContent 扩展
相关讨论:
EFForg/https-everywhere#8506
fengyc/URLRedirector#15
文档 https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Upgrade-Insecure-Requests
简述:
main_frame 为 https 但页内有 http 资源时,浏览器会默认禁止主动性资源如 JS,目前还会放行被动型资源如 image,这一行为由浏览器完成,扩展基本不能干预。
UpgradeMixedContent 扩展提供了目前仅见的干预思路:给所有的 http 资源插入一个 upgrade-insecure-requests ,这样浏览器就会尝试用 https 来访问本会被 MCB 的资源。
缺陷:
UpgradeMixedContent 扩展是默认全局使用的,于是部分资源,主要是图片就会被破坏,如 好奇心日报
该扩展作者是个极端派,他认为没有加密的资源就不应该被载入。
现状:
Chrome 有了黑名单版的专用扩展:https://github.com/gloomy-ghost/UpgradeMixedContent
我为其维护了一个在线黑名单:https://github.com/ivysrono/UpgradeMixedContentBlacklist
目前 Firefox 上尚无可用实现。
The text was updated successfully, but these errors were encountered: