CSP: upgrade-insecure-requests
Baseline
Widely available
This feature is well established and works across many devices and browser versions. Itâs been available across browsers since 2018å¹´4æ.
HTTP ã® Content-Security-Policy (CSP) ã«ããã upgrade-insecure-requests ãã£ã¬ã¯ãã£ãã¯ãã¦ã¼ã¶ã¼ã¨ã¼ã¸ã§ã³ãã«ããã¹ã¦ã®ãµã¤ãã®å®å
¨ã§ãªã URLï¼HTTP çµç±ã§æä¾ããã URLï¼ãã»ãã¥ãªãã£ã§ä¿è·ããã URLï¼HTTPS ãä»ãã¦æä¾ããããã®ï¼ã§ç½®ãæãããããã®ããã«å¦çããããæ示ãã¾ãããã®ãã£ã¬ã¯ãã£ãã¯ãæ¸ãæããå¿
è¦ãªå®å
¨ã§ã¯ãªãå¤ã URL ãå¤æ°åå¨ããã¦ã§ããµã¤ãã®ããã®ãã®ã§ãã
ã¡ã¢:
upgrade-insecure-requests ãã£ã¬ã¯ãã£ãã¯ã block-all-mixed-content ãããåã«å¦çãããããè¨å®ããã¦ããã°å¾è
ã¯ä½ããã¾ãããã©ã¡ããã®ãã£ã¬ã¯ãã£ããè¨å®ãããã¨ããå§ããã¾ããã HTTP ã«ãªãã¤ã¬ã¯ãããå¾ã§ HTTPS ãå¼·å¶ãããã¨ãã§ããªãå¤ããã©ã¦ã¶ã¼ã§ HTTPS ãå¼·å¶ãããããªãéãã両æ¹ãæå®ãããã¨ã¯ã§ãã¾ããã
upgrade-insecure-requests ãã£ã¬ã¯ãã£ãã¯ã第ä¸è
ã®ãµã¤ãã®ãªã³ã¯ãçµç±ãã¦ãµã¤ãã«ã¢ã¯ã»ã¹ããã¦ã¼ã¶ã¼ãæä¸ä½ã®ããã²ã¼ã·ã§ã³ç¨ã« HTTPS ã«ã¢ããã°ã¬ã¼ãããããã¨ãä¿è¨¼ããªãããã Strict-Transport-Security (HSTS) ãããã¼ãç½®æãããã¦ã¼ã¶ã¼ãSSLã¹ããªããã³ã°æ»æã®å¯¾è±¡ã«ãªããªãããã«ãé©å㪠max-age ãè¨å®ããããã«ãã¦ãã ããã
æ§æ
Content-Security-Policy: upgrade-insecure-requests;
ä¾
HTTP ãããã¼ã®ä½¿ç¨
Content-Security-Policy: upgrade-insecure-requests;
HTML ã® meta è¦ç´ ã®ä½¿ç¨
<meta
http-equiv="Content-Security-Policy"
content="upgrade-insecure-requests" />
HTTP ãã HTTPS ã«ç§»è¡ããããã¡ã¤ã³ example.com ã«ä¸è¨ã®ãããã¼ãè¨å®ããã¨ãããã²ã¼ã·ã§ã³ä»¥å¤ã®å®å ¨ã§ãªããªã½ã¼ã¹ãªã¯ã¨ã¹ãï¼ãã¡ã¼ã¹ããã¼ãã£ããã³ãµã¼ããã¼ãã£ã®ãªã¯ã¨ã¹ãï¼ã¯èªåçã«ã¢ããã°ã¬ã¼ãããã¾ãã
<img src="/proxy/example.com/image.png" />
<img src="/proxy/not-example.com/image.png" />
ãããã® URL ã¯ããªã¯ã¨ã¹ããè¡ãããåã«æ¸ãç´ããã¾ããã¤ã¾ããå®å ¨ã§ãªããªã¯ã¨ã¹ãããããã¯ã¼ã¯ã«ä¾µå ¥ããªãããã«ãã¾ãããªãããªã¯ã¨ã¹ãããããªã½ã¼ã¹ãå®éã« HTTPS çµç±ã§å©ç¨å¯è½ã§ã¯ãªãå ´åããªã¯ã¨ã¹ã㯠HTTP ã§ä»£æ¿ãããã«å¤±æãããã¨ã«æ³¨æãã¦ãã ããã
<img src="/proxy/example.com/image.png" />
<img src="/proxy/not-example.com/image.png" />
第ä¸è ã®ãªã½ã¼ã¹ã¸ã®ããã²ã¼ã·ã§ã³ãã¢ããã°ã¬ã¼ãããã¨ãç ´å£ã®å¯è½æ§ãå¤§å¹ ã«é«ã¾ãã¾ãã®ã§ããããã¯ã¢ããã°ã¬ã¼ãããã¾ããã
<a href="/proxy/example.com/">Home</a>
<a href="/proxy/not-example.com/">Home</a>
å®å ¨ã§ã¯ãªããªã¯ã¨ã¹ãã®çºè¦
Content-Security-Policy-Report-Only ãããã¼ã¨ report-uri ãã£ã¬ã¯ãã£ããå©ç¨ãã¦ãå¼·å¶ããªã·ã¼ã¨å ±åãããããªã·ã¼ã次ã®ããã«è¨å®ãããã¨ãã§ãã¾ãã
Content-Security-Policy: upgrade-insecure-requests; default-src https:
Content-Security-Policy-Report-Only: default-src https:; report-uri /endpoint
ãã®ããã«ãã¦ãå®å ¨ãªãµã¤ãä¸ã®å®å ¨ã§ãªãè¦æ±ã¯å¼ãç¶ãã¢ããã°ã¬ã¼ãããã¾ãããç£è¦ããªã·ã¼ã«éåããå ´åã ãããå®å ¨ã§ãªããªã½ã¼ã¹ãã¨ã³ããã¤ã³ãã«å ±åããã¾ãã
ä»æ§æ¸
| Specification |
|---|
| Upgrade Insecure Requests # delivery |
ãã©ã¦ã¶ã¼ã®äºææ§
é¢é£æ å ±
Content-Security-PolicyUpgrade-Insecure-Requestsãããã¼Strict-Transport-Security(HSTS) ãããã¼block-all-mixed-content- æ··å¨ã³ã³ãã³ã