CSP: block-all-mixed-content
éæ¨å¥¨;: ãã®æ©è½ã¯éæ¨å¥¨ã«ãªãã¾ãããã¾ã 対å¿ãã¦ãããã©ã¦ã¶ã¼ãããããããã¾ãããããã§ã«é¢é£ããã¦ã§ãæ¨æºããåé¤ããã¦ããããåé¤ã®æç¶ãä¸ã§ããããäºææ§ã®ããã ãã«æ®ããã¦ããå¯è½æ§ãããã¾ãã使ç¨ãé¿ããã§ããã°æ¢åã®ã³ã¼ãã¯æ´æ°ãã¦ãã ããããã®ãã¼ã¸ã®ä¸é¨ã«ããäºææ§ä¸è¦§è¡¨ãè¦ã¦å¤æãã¦ãã ããããã®æ©è½ã¯çªç¶åä½ããªããªãå¯è½æ§ããããã¨ã«æ³¨æãã¦ãã ããã
è¦å: ãã®ãã£ã¬ã¯ãã£ãã¯ãä»æ§ä¸ãå»æ¢ããããã®ã¨ãã¦ä½ç½®ã¥ãããã¦ãã¾ãã ãã®ãã£ã¬ã¯ãã£ãã¯ã以åã¯ããªãã·ã§ã³ã§ãããã¯å¯è½ãªãæ··å¨ã³ã³ãã³ããå®å ¨ã§ãªãæ¹æ³ã§åå¾ãã表示ãããã¨ãé²ãããã«ä½¿ç¨ããã¦ãã¾ããã ãããã¯ãããªãã³ã³ãã³ãã¯ã常ã«ä¿è·ãããæ¥ç¶ã«ã¢ããã°ã¬ã¼ãããããã«ãªã£ãã®ã§ããã®ãã£ã¬ã¯ãã£ãã¯å¿ è¦ããã¾ããã
HTTP ã® Content-Security-Policy (CSP) block-all-mixed-content ãã£ã¬ã¯ãã£ãã¯ããã¼ã¸ã HTTPS ã使ç¨ãã¦ããã¨ãã« HTTP ã§è³ç£ãèªã¿è¾¼ããã¨ãé²ãã¾ãã
ãã¹ã¦ã®æ··å¨ã³ã³ãã³ãã®ãªã½ã¼ã¹ã®ãªã¯ã¨ã¹ãã¯ããããã¯å¯è½ã§ãããã®ãã¢ããã°ã¬ã¼ãå¯è½ã§ãããã®ãå«ãããããã¯ããã¾ãããã㯠<iframe> ã®ææ¸ã«ãé©ç¨ããããã¼ã¸å
¨ä½ã§æ··å¨ã³ã³ãã³ãããªããã¨ãä¿è¨¼ãã¾ãã
ã¡ã¢:
upgrade-insecure-requests ãã£ã¬ã¯ãã£ãã block-all-mixed-content ã®åã«è©ä¾¡ããã¾ãã
åè
ãè¨å®ããã¦ããã°ãå¾è
ã¯ä½ããã¾ãããã©ã¡ããã®ãã£ã¬ã¯ãã£ããè¨å®ãã¦ãã ããã HTTP ã«ãªãã¤ã¬ã¯ãããå¾ã§ HTTPS ãå¼·å¶ãããã¨ãã§ããªãå¤ããã©ã¦ã¶ã¼ã§ HTTPS ãå¼·å¶ãããããªãéãã両æ¹ã®å¹æã¯ããã¾ããã
æ§æ
Content-Security-Policy: block-all-mixed-content;
ä¾
Content-Security-Policy: block-all-mixed-content;
<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
ãã詳細ãªã¬ãã«ã§ http è³ç£ãç¡å¹ã«ããã«ã¯ãåã
ã®ãã£ã¬ã¯ãã£ãã« https: ãè¨å®ãããã¨ãã§ãã¾ãã
å®å
¨ã§ã¯ãªã HTTP ã®ç»åã許å¯ããªãããã«ããã«ã¯æ¬¡ã®ããã«ãã¾ãã
Content-Security-Policy: img-src https:
ä»æ§æ¸
ç¾å¨ã®ã©ã®ä»æ§ã«ãå±ãã¦ãã¾ããã å¤ãä»æ§æ¸ã§ãã Mixed Content Level 1 ã§å®ç¾©ããã¦ãããã®ã§ãã