问题
Suppose my website is over HTTPS and I need to load a CSS or Object resource from HTTP, how can I do this?
Please note that I'm able to add Content-Security-Policy to the response headers over the HTTPS websites but I don't exactly know how can I do this. Can someone give me a solution?
回答1:
There is no solution. Modern browsers will deny using non-https resources into pages served by https because you effectively undermine the security model of https this way. CSP will not help because it does not fix the issue. Your only choice is to either serve the site by http or to proxy includes from external non-https sites by your own site. But note that the latter option might affect the security model too, because now these external resources are seen as originating by the same domain as your own content and thus could misuse the same origin policy.
来源:https://stackoverflow.com/questions/28517391/allow-loading-http-resources-over-https