1 前言

一个问题，一篇文章，一出故事。
笔者最近代理公司应用，发现https的页面有请求不安全的http也被Blocked的问题，浏览器调试详细显示如下，

Mixed Content: The page at 'https://appname.cmdschool.org/main.jsp' was loaded over HTTPS, but requested an insecure frame 'http://appname.cmdschool.org:443/appname/portal/equiplist/dtHistQueryGuiFet.action'. This request has been blocked; the content must be served over HTTPS.

和同事研究发现可以通过修改页面头解决此问题。

2 最佳实践

2.1 创建反向代理配置文件

vim /etc/nginx/conf.d/appname.cmdschool.org_443.conf

加入如下配置，

  location / {
    #...
    proxy_hide_header Content-Security-Policy;
    add_header Content-Security-Policy Upgrade-Insecure-Requests always;
  }

另外，直接在HTML页面中增加如下代码也可以解决此问题，

<head>
    	<meta http-equiv="Content-Security-Policy" content="Upgrade-Insecure-Requests">
</head>

2.2 重载服务使配置生效

systemctl reload nginx.service
systemctl status nginx.service

参阅文档
=================
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Upgrade-Insecure-Requests