Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
998 views
in Technique[技术] by (71.8m points)

security - Chrome now blocking all jsonp requests from https to http?

At some point recently Chrome has stopped showing data loaded via jsonp with the error

[blocked] The page at https://user.example.com/category/12345 ran insecure content from http://livedata.example.com/Data.svc/jsonp/GetData?category=12345&callback=_jsp&_1346417951424=.

It still works fine on all other browsers, and has been confirmed on several different computers running Chrome.

The only mention I've seen of this problem before is when the page was served from one of Google's own domains (a security feature for Google Apps I guess?), is this something that has been enabled on all domains now in a recent version of Chrome?

Ideally we don't want to have to enable https on our livedata subdomain because of the extra server load it would cause, the data is all publicly available so there's no pressing need to encrypt it.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

It definitely should block it - it's insecure and breaks the promise of HTTPS.

A JSONP resource fetch is done by creating a <script> resource pointing at the target. That means the target server can run any JavaScript it likes on the including page, and hence any man-in-the-middle can inject arbitrary script into a supposedly-HTTPS-protected page (eg adding a keylogger, or completely replacing the page content). An HTTPS page with a <script> coming from HTTP is no more secure than a plain HTTP page.

You will need to provide an HTTPS version of your data feed, if you want HTTPS pages to be able to access it. Otherwise browsers should, at the very least, produce warnings. Chrome now defaulting to block doesn't change the nature of the problem, it's just giving you the extra push you need to fix it properly.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...