11

假设我有一个表格,现在正在发帖:

<form id="post-form" class="post-form" 
      action="/questions/ask/submit" method="post">

您会注意到 中没有站点action浏览器跟随它从哪里获取页面。

浏览器在发布时遵循当前的域规则

If the current page is...                then the browser will POST to
=======================================  =============
http://stackoverflow.com/questions/ask   http://stackoverflow.com/questions/ask/submit
https://stackoverflow.com/questions/ask  https://stackoverflow.com/questions/ask/submit

但我想确保浏览器始终会转到安全页面:

http://stackoverflow.com/questions/ask   https://stackoverflow.com/questions/ask/submit

通常你会尝试这样的事情:

<form id="post-form" class="post-form" 
      action="https://stackoverflow.com/questions/ask/submit" method="post">

除非需要知道托管站点的域和虚拟路径名(例如stackoverflow.com)。如果网站发生了变化:

  • stackoverflow.net
  • stackoverflow.com/mobile
  • de.stackoverflow.com
  • stackoverflow.co.uk/fr
  • beta.stackoverflow.com

那么表格action也必须更新:

<form id="post-form" class="post-form" action="https://stackoverflow.net/questions/ask/submit" method="post">

<form id="post-form" class="post-form" action="https://stackoverflow.com/mobile/questions/ask/submit" method="post">

<form id="post-form" class="post-form" action="https://de.stackoverflow.com/questions/ask/submit" method="post">

<form id="post-form" class="post-form" action="https://stackoverflow.co.uk/fr/questions/ask/submit" method="post">

<form id="post-form" class="post-form" action="https://beta.stackoverflow.com/questions/ask/submit" method="post">

如何指示浏览器转到页面https的版本?

假设语法:

<form id="post-form" class="post-form" action="https://./questions/ask/submit" method="post">

302、303、307

最初302 Found是告诉用户代理去其他地方的代码。目的是浏览器会在新位置再次尝试:

POST /questions/ask/submit

302 Found
Location: /submitquestion

POST /submitquestion

不幸的是,所有浏览器都弄错了,并且总是错误地GET在新位置上使用:

POST /questions/ask/submit

302 Found
Location: /submitquestion

GET /submitquestion

因为浏览器弄错了,所以创建了两个新代码:

  • 302 Found:(不推荐使用旧版)在新位置再次尝试完全相同的操作;但旧版浏览器正在切换到GET
  • 303 See Other:忘记用户在做什么,然后GET在这个位置上做一个
  • 307 Temporary Redirect:在新位置再次尝试完全相同的事情(不,说真的,同样的事情 - 我没有说你可以切换到GET。如果你正在做,DELETE那就去DELETE这里。)

例如,如果用户代理在中间POST

| Response               | What agent should do  | What many agents actually do |
|------------------------|-----------------------|------------------------------|
| 302 Found              | POST to new Location  | GET from new Location        |
| 303 See Other          | GET from new Location | GET from new Location        |
| 307 Temporary Redirect | POST to new Location  | POST to new Location         |

理想情况下,有一种方法可以用来告诉用户代理在安全 URL 上再次307 Temporary Redirect尝试:POST

POST /questions/ask/submit

307 Temporary Redirect
Location: https://beta.stackoverflow.com/questions/ask/submit

POST /questions/ask/submit

我可以在 ASP.net 中使用足够好的服务器端:

if (!Request.IsSecureConnection)
{
   string redirectUrl = Request.Url.ToString().Replace("http:", "https:");
   Response.Redirect(redirectUrl);

   //We don't want to send the client the deprecated 302 code, we want to use 307 telling them that we really want them to continue the POST, PUT, DELETE, etc
   Response.StatusCode = (int)System.Net.HttpStatusCode.TemporaryRedirect;     
   Response.End();
}

但我不知道您是否可以在Location.

4

2 回答 2

5

您可以使用 javascript 更改表单的操作:

var form = document.getElementById("post-form");
form.action = location.href.replace(/^http:/, 'https:');

但是有一些安全考虑,我建议您将表单的 url 重定向到 https。虽然你可以从 javascript 来做,但你永远不应该信任 javascript,因为它涉及到安全性,所以从服务器上做(它也更快,页面不需要加载,只有 http 标头)

于 2012-05-01T19:55:25.473 回答
0

您最好确保如果用户已经登陆您的 http 页面,您将他重定向到 https 等价物。在你的 :

<script>
if ((window.location.href.substring(0, 8) != "https://") {
  window.location = location.href.replace(/^http:/, 'https:');
}
</script>
于 2018-09-03T19:15:42.833 回答