今天早上,当我将Firefox浏览器升级到最新版本(从22升级到23)时,我的后台办公室(网站)的一些关键方面停止了工作。
查看Firebug日志,报告了以下错误:
Blocked loading mixed active content "http://code.jquery.com/ui/1.8.10/themes/smoothness/jquery-ui.css"
Blocked loading mixed active content "http://ajax.aspnetcdn.com/ajax/jquery.ui/1.8.10/jquery-ui.min.js"`
在其他错误中,由上述两个中的后者未加载引起。
上述问题是什么意思?我该如何解决?
当前回答
我只是通过在头部添加以下代码来修复这个问题:
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
其他回答
在https协议上强制重定向,你也可以在根文件夹的。htaccess中添加这个指令
RewriteEngine on
RewriteCond %{REQUEST_SCHEME} =http
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
我只是通过在头部添加以下代码来修复这个问题:
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
我发现这篇博客文章澄清了一些事情。引用最相关的部分:
Mixed Active Content is now blocked by default in Firefox 23! What is Mixed Content? When a user visits a page served over HTTP, their connection is open for eavesdropping and man-in-the-middle (MITM) attacks. When a user visits a page served over HTTPS, their connection with the web server is authenticated and encrypted with SSL and hence safeguarded from eavesdroppers and MITM attacks. However, if an HTTPS page includes HTTP content, the HTTP portion can be read or modified by attackers, even though the main page is served over HTTPS. When an HTTPS page has HTTP content, we call that content “mixed”. The webpage that the user is visiting is only partially encrypted, since some of the content is retrieved unencrypted over HTTP. The Mixed Content Blocker blocks certain HTTP requests on HTTPS pages.
在我的例子中,解决方案是简单地确保jquery包含如下(注意去除协议):
<link rel="stylesheet" href="//code.jquery.com/ui/1.8.10/themes/smoothness/jquery-ui.css" type="text/css">
<script type="text/javascript" src="//ajax.aspnetcdn.com/ajax/jquery.ui/1.8.10/jquery-ui.min.js"></script>
请注意,临时的“修复”是点击地址栏左上角的“屏蔽”图标,并选择“禁用此页面上的保护”,尽管出于明显的原因,不建议这样做。
更新:这个来自Firefox (Mozilla)支持页面的链接在解释什么是混合内容方面也很有用,正如上面一段所给出的,它实际上提供了如何显示页面的细节:
Most websites will continue to work normally without any action on your part. If you need to allow the mixed content to be displayed, you can do that easily: Click the shield icon Mixed Content Shield in the address bar and choose Disable Protection on This Page from the dropdown menu. The icon in the address bar will change to an orange warning triangle Warning Identity Icon to remind you that insecure content is being displayed. To revert the previous action (re-block mixed content), just reload the page.
如果你的应用服务器是weblogic,那么确保WLProxySSL ON条目存在(也要确保它不应该被注释)在webserver的conf目录下的weblogic.conf文件中。然后重新启动web服务器,它将工作。
如果您通过AJAX使用内部服务,请确保url指向https,这为我清除了错误。
最初阿贾克斯网址:“http://XXXXXX.com/Core.svc/ +。”这是ApiName 由AJAX ApiName网址:“https://XXXXXX.com/Core.svc/ +,
