假设我现在正在发表一个表格:
<form id="post-form" class="post-form"
action="/questions/ask/submit" method="post">
您会注意到action中没有网站,浏览器会跟随其获取网页的位置。
发布时,浏览器会遵循当前的域规则
If the current page is... then the browser will POST to
======================================= =============
http://stackoverflow.com/questions/ask http://stackoverflow.com/questions/ask/submit
https://stackoverflow.com/questions/ask https://stackoverflow.com/questions/ask/submit
但我想确保浏览器始终转到安全页面:
http://stackoverflow.com/questions/ask https://stackoverflow.com/questions/ask/submit
通常你会尝试这样的事情:
<form id="post-form" class="post-form"
action="https://stackoverflow.com/questions/ask/submit" method="post">
除了需要知道托管网站的域名和虚拟路径名称(例如stackoverflow.com)。如果网站被更改:
stackoverflow.net stackoverflow.com/mobile de.stackoverflow.com stackoverflow.co.uk/fr beta.stackoverflow.com 然后表格action也必须更新:
<form id="post-form" class="post-form" action="https://stackoverflow.net/questions/ask/submit" method="post">
<form id="post-form" class="post-form" action="https://stackoverflow.com/mobile/questions/ask/submit" method="post">
<form id="post-form" class="post-form" action="https://de.stackoverflow.com/questions/ask/submit" method="post">
<form id="post-form" class="post-form" action="https://stackoverflow.co.uk/fr/questions/ask/submit" method="post">
<form id="post-form" class="post-form" action="https://beta.stackoverflow.com/questions/ask/submit" method="post">
如何指示浏览器转到页面的https版本?
假设语法:
<form id="post-form" class="post-form" action="https://./questions/ask/submit" method="post">
最初302 Found是告诉用户代理去其他地方的代码。目的是浏览器只需在新位置再试一次:
POST /questions/ask/submit
302 Found
Location: /submitquestion
POST /submitquestion
不幸的是,所有浏览器都错了,并且错误地总是在新位置使用GET:
POST /questions/ask/submit
302 Found
Location: /submitquestion
GET /submitquestion
由于浏览器出错了,因此创建了两个新代码:
302 Found :(旧版已弃用)在新位置再次尝试完全相同的内容;但是旧版浏览器正在切换到GET 303 See Other :忘记用户正在做的事情,然后在此位置上执行GET 307 Temporary Redirect:在新的位置再次尝试完全相同的事情(不,严重的,同样的事情 - 我没有说你可以切换到GET。如果您正在执行DELETE,请转到此处DELETE。)例如,如果用户代理位于POST:
| Response | What agent should do | What many agents actually do |
|------------------------|-----------------------|------------------------------|
| 302 Found | POST to new Location | GET from new Location |
| 303 See Other | GET from new Location | GET from new Location |
| 307 Temporary Redirect | POST to new Location | POST to new Location |
理想情况下,有一种方法可以使用307 Temporary Redirect告诉用户代理在安全网址上再次尝试POST:
POST /questions/ask/submit
307 Temporary Redirect
Location: https://beta.stackoverflow.com/questions/ask/submit
POST /questions/ask/submit
我可以在ASP.net中使用足够好的服务器端:
if (!Request.IsSecureConnection)
{
string redirectUrl = Request.Url.ToString().Replace("http:", "https:");
Response.Redirect(redirectUrl);
//We don't want to send the client the deprecated 302 code, we want to use 307 telling them that we really want them to continue the POST, PUT, DELETE, etc
Response.StatusCode = (int)System.Net.HttpStatusCode.TemporaryRedirect;
Response.End();
}
但我不知道你是否可以在Location中指定一个完整的uri。
答案 0 :(得分:3)
您可以使用javascript更改表单的操作:
var form = document.getElementById("post-form");
form.action = location.href.replace(/^http:/, 'https:');
但是有一些security considerations,我建议你将表单的网址重定向到https。虽然你可以从javascript中做到这一点,但是当它获得安全性时你永远不应该信任javascript,所以从服务器做它(它也更快,页面不必加载,只有http头)
答案 1 :(得分:0)
您最好确保如果用户登陆到您的http页面,则将其重定向到等效的https。 在您的:
<script>
if ((window.location.href.substring(0, 8) != "https://") {
window.location = location.href.replace(/^http:/, 'https:');
}
</script>