随着https的不断普及,目前几乎所有的网站都开启了https,但是有时候网站内的部分资源还是http的,此时因为浏览器的安全策略,浏览器默认会拦截这些资源。导致网站无法正常显示,出现报错:
Mixed Content: The page at 'https://www.xxx.com/' was loaded over HTTPS, but requested an insecure stylesheet 'http://www.xxx.com/xxx.css'. This request has been blocked; the content must be served over HTTPS.
解决方案
http协议中提供了一个头部:
Content-Security-Policy: upgrade-insecure-requests当它被设置的时候,浏览器会自动将https网站内部的http资源请求升级为https,避免出现mixed content问题。
nginx配置方式:
add_header Content-Security-Policy upgrade-insecure-requests;