Html 如何 POST 到 HTTPs?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/10402966/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to POST to HTTPs?
提问by Ian Boyd
Assume i have a form that right now is doing a post:
假设我有一个现在正在发帖的表格:
<form id="post-form" class="post-form"
action="/questions/ask/submit" method="post">
You'll notice there is no sitein the action, the browser follows where it got the page from.
你会发现没有网站的action,浏览器遵循它得到了来自网页。
The browser follows current domain rules when posting
浏览器在发布时遵循当前域规则
If the current page is... then the browser will POST to
======================================= =============
http://stackoverflow.com/questions/ask http://stackoverflow.com/questions/ask/submit
https://stackoverflow.com/questions/ask https://stackoverflow.com/questions/ask/submit
But I want to ensure that the browser will always go to the securepage:
但我想确保浏览器始终会转到安全页面:
http://stackoverflow.com/questions/ask https://stackoverflow.com/questions/ask/submit
Normally you would try something like:
通常你会尝试这样的事情:
<form id="post-form" class="post-form"
action="https://stackoverflow.com/questions/ask/submit" method="post">
Except that requires knowing the domain and virtual path name of hosting site (e.g. stackoverflow.com). If the site were changed:
除了需要知道托管站点的域和虚拟路径名称(例如stackoverflow.com)。如果网站被更改:
stackoverflow.netstackoverflow.com/mobilede.stackoverflow.comstackoverflow.co.uk/frbeta.stackoverflow.com
stackoverflow.netstackoverflow.com/mobilede.stackoverflow.comstackoverflow.co.uk/frbeta.stackoverflow.com
then the form actionwould have to be updated also:
那么表格action也必须更新:
<form id="post-form" class="post-form" action="https://stackoverflow.net/questions/ask/submit" method="post">
<form id="post-form" class="post-form" action="https://stackoverflow.com/mobile/questions/ask/submit" method="post">
<form id="post-form" class="post-form" action="https://de.stackoverflow.com/questions/ask/submit" method="post">
<form id="post-form" class="post-form" action="https://stackoverflow.co.uk/fr/questions/ask/submit" method="post">
<form id="post-form" class="post-form" action="https://beta.stackoverflow.com/questions/ask/submit" method="post">
How can I instruct the browser to go to httpsversion of a page?
如何指示浏览器转到页面的https版本?
Hypothetical syntax:
假设语法:
<form id="post-form" class="post-form" action="https://./questions/ask/submit" method="post">
302, 303, 307
302、303、307
Originally 302 Foundwas the code to tell the user agent to go someplace else. The intention was that browsers would simply try again at the new location:
最初302 Found是告诉用户代理去其他地方的代码。目的是浏览器会简单地在新位置重试:
POST /questions/ask/submit
302 Found
Location: /submitquestion
POST /submitquestion
Unfortunately all browsers got it wrong, and would mistakenly always use GETon the new location:
不幸的是,所有浏览器都弄错了,并且总是错误地GET在新位置使用:
POST /questions/ask/submit
302 Found
Location: /submitquestion
GET /submitquestion
Because browsers got it wrong, two new codes were created:
因为浏览器弄错了,所以创建了两个新代码:
302 Found: (Legacy deprecated)Try the exact same thing again at the new location; but legacy browsers were switching toGET303 See Other: Forget whatever the user was doing, and go do aGETon this Location307 Temporary Redirect:Try the exact same thing again at the new Location(No, seriously, the same thing - i didn't say you could switch toGET. If you were doing aDELETEthen goDELETEit over here.)
302 Found:(旧版已弃用)在新位置再次尝试完全相同的操作;但传统浏览器正在切换到GET303 See Other:忘记用户在做什么,然后GET在这个位置做一个307 Temporary Redirect:在新的位置再次尝试完全相同的事情(不,说真的,同样的事情 - 我没有说你可以切换到GET。如果你在做,DELETE那就去DELETE这里。)
For example, if the user agent was in the middle of a POST:
例如,如果用户代理位于 a 的中间POST:
| Response | What agent should do | What many agents actually do |
|------------------------|-----------------------|------------------------------|
| 302 Found | POST to new Location | GET from new Location |
| 303 See Other | GET from new Location | GET from new Location |
| 307 Temporary Redirect | POST to new Location | POST to new Location |
Ideally, there would be a way to use 307 Temporary Redirectto tell the user agent to try the POSTagain on the secure URL:
理想情况下,有一种方法可以307 Temporary Redirect用来告诉用户代理POST在安全 URL 上再次尝试:
POST /questions/ask/submit
307 Temporary Redirect
Location: https://beta.stackoverflow.com/questions/ask/submit
POST /questions/ask/submit
and i can get away with that well enough server-side in ASP.net:
我可以在 ASP.net 中很好地摆脱服务器端:
if (!Request.IsSecureConnection)
{
string redirectUrl = Request.Url.ToString().Replace("http:", "https:");
Response.Redirect(redirectUrl);
//We don't want to send the client the deprecated 302 code, we want to use 307 telling them that we really want them to continue the POST, PUT, DELETE, etc
Response.StatusCode = (int)System.Net.HttpStatusCode.TemporaryRedirect;
Response.End();
}
But i don't know if you can specify a full uri in a Location.
但我不知道您是否可以在Location.
采纳答案by Gavriel
you can change the form's action with javascript:
您可以使用 javascript 更改表单的操作:
var form = document.getElementById("post-form");
form.action = location.href.replace(/^http:/, 'https:');
But there are some security considerations, and I would suggest you to redirect your form's url to https. And although you could do it from javascript, you should never trust javascript when it gets to security, so do it from the server (it's also faster, the page doesn't have to be loaded, only the http header)
但是有一些安全考虑,我建议您将表单的 url 重定向到 https。尽管您可以从 javascript 中执行此操作,但在达到安全性时您永远不应信任 javascript,因此请从服务器执行此操作(它也更快,不必加载页面,只需加载 http 标头)
回答by Yogev
You'd better make sure that if the user has landed on your http page you redirect him to the https equivalent. In your :
你最好确保如果用户登陆了你的 http 页面,你会将他重定向到 https 等价的页面。在你的 :
<script>
if ((window.location.href.substring(0, 8) != "https://") {
window.location = location.href.replace(/^http:/, 'https:');
}
</script>
