CSP: upgrade-insecure-requests



HTTP Content-Security-Policy (CSP) upgrade-insecure-requests指令指示客户端将该站点的所有不安全URL(通过HTTP提供的URL)视为已被替换为安全URL(通过HTTPS提供的URL)。该指令适用于需要重写大量不安全的旧版URL的网站。

upgrade-insecure-requests指令在 block-all-mixed-content 之前被执行,如果其被设置,后者实际上是空操作。可以设置其中一个,但不能同时设置。

The upgrade-insecure-requests directive will not ensure that users visiting your site via links on third-party sites will be upgraded to HTTPS for the top-level navigation and thus does not replace the Strict-Transport-Security (HSTS) header, which should still be set with an appropriate max-age to ensure that users are not subject to SSL stripping attacks.


Content-Security-Policy: upgrade-insecure-requests;


// header
Content-Security-Policy: upgrade-insecure-requests;

// meta tag
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

一旦将上述头部设置在计划从HTTP迁移到HTTPS的example.com域名上, 非跳转(non-navigational)的不安全资源请求会自动升级到HTTPS(包括第当前域名以及第三方请求)。

<img src="http://example.com/image.png">
<img src="http://not-example.com/image.png">

这些URL在请求发送之前都会被改写成HTTPS,也就意味着不安全的请求都不会发送出去。注意,如果请求的资源在HTTPS情况下不可用,则该请求将失败, 其也不能回退到HTTP。

<img src="https://example.com/image.png">
<img src="https://not-example.com/image.png">

Navigational upgrades to third-party resources brings a significantly higher potential for breakage, these are not upgraded:

<a href="https://example.com/">Home</a>
<a href="http://not-example.com/">Home</a>

Finding insecure requests

通过 Content-Security-Policy-Report-Only  HTTP头部和 report-uri 指令,您可以设置执行策略和报告策略,如下所示:

Content-Security-Policy: upgrade-insecure-requests; default-src https: 
Content-Security-Policy-Report-Only: default-src https:; report-uri /endpoint

That way, you still upgrade insecure requests on your secure site, but the only monitoring policy is violated and reports insecure resources to your endpoint.


Specification Status Comment
Upgrade Insecure Requests
Candidate Recommendation Initial definition.

Browser compatibility

Update compatibility data on GitHub
ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome for AndroidEdge MobileFirefox for AndroidOpera for AndroidSafari on iOSSamsung Internet
upgrade-insecure-requestsChrome Full support 43Edge No support No
No support No
Notes Under consideration for future release.
Firefox Full support 42IE No support NoOpera Full support 30Safari Full support 10.1WebView Android Full support 43Chrome Android Full support 43Edge Mobile No support NoFirefox Android Full support 42Opera Android Full support 30Safari iOS Full support 10.3Samsung Internet Android Full support 4.0


Full support  
Full support
No support  
No support
See implementation notes.
See implementation notes.

See also


此页面的贡献者: mdnwebdocs-bot, shevacjs
最后编辑者: mdnwebdocs-bot,