我向一个HTTP(非https)站点发送了一个POST请求,在Chrome的开发人员工具中检查了请求,并发现它在发送到服务器之前添加了自己的头:

Upgrade-Insecure-Requests: 1

在对Upgrade-Insecure-Requests进行搜索后,我只能找到关于发送此报头的服务器的信息:

Content-Security-Policy: upgrade-insecure-requests

这似乎是相关的,但仍然有很大的不同,因为在我的情况下,客户端在请求中发送报头,而我所找到的所有信息都是关于服务器在响应中发送相关的报头。


那么为什么Chrome (44.0.2403.130 m)添加升级不安全请求到我的请求,它做什么?


更新2016-08-24:

该标头已被添加为W3C候选推荐,现在已得到官方认可。

对于那些刚刚遇到这个问题并感到困惑的人来说,西蒙·伊斯特的精彩回答很好地解释了这个问题。

在之前的W3C工作草案中,“升级-不安全-请求:1”标头曾经是“HTTPS: 1”,在正式接受之前被Chrome悄悄地重命名。

(这个问题是在过渡期间提出的,当时没有关于这个头文件的官方文档,Chrome是唯一发送这个头文件的浏览器。)


简单回答:它与Content-Security-Policy: upgrade-insecure-requests响应头密切相关,表明浏览器支持它(实际上更喜欢它)。

我花了30分钟在谷歌上搜索,但我最终在W3规范中找到了它。

混淆的原因是规范中的标头是HTTPS: 1,这是Chromium实现它的方式,但在这破坏了许多编码糟糕的网站(特别是WordPress和WooCommerce)后,Chromium团队道歉:

“我为造成的破坏道歉;基于开发和测试期间的反馈,我显然低估了其影响。” ——迈克·韦斯特,Chrome 501842版

他们的修复方法是将其重命名为Upgrade-Insecure-Requests: 1,并且规范已经更新以匹配。

不管怎样,这是来自W3规范的解释(就像它当时出现的那样)…

The HTTPS HTTP request header field sends a signal to the server expressing the client’s preference for an encrypted and authenticated response, and that it can successfully handle the upgrade-insecure-requests directive in order to make that preference as seamless as possible to provide. ... When a server encounters this preference in an HTTP request’s headers, it SHOULD redirect the user to a potentially secure representation of the resource being requested. When a server encounters this preference in an HTTPS request’s headers, it SHOULD include a Strict-Transport-Security header in the response if the request’s host is HSTS-safe or conditionally HSTS-safe [RFC6797].


这解释了整个事情:

The HTTP Content-Security-Policy (CSP) upgrade-insecure-requests directive instructs user agents to treat all of a site's insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for web sites with large numbers of insecure legacy URLs that need to be rewritten. The upgrade-insecure-requests directive is evaluated before block-all-mixed-content and if it is set, the latter is effectively a no-op. It is recommended to set one directive or the other, but not both. The upgrade-insecure-requests directive will not ensure that users visiting your site via links on third-party sites will be upgraded to HTTPS for the top-level navigation and thus does not replace the Strict-Transport-Security (HSTS) header, which should still be set with an appropriate max-age to ensure that users are not subject to SSL stripping attacks.

来源:https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests