google-chrome - 什么是 "Upgrade-Insecure-Requests"HTTP header ？

Question

我向 HTTP(非 HTTPS)网站发出了一个 POST 请求，在 Chrome 的开发者工具中检查了这个请求，发现它在发送到服务器之前添加了自己的 header :

Upgrade-Insecure-Requests: 1

搜索 Upgrade-Insecure-Requests 后，我只能找到 information关于服务器发送 this header :

Content-Security-Policy: upgrade-insecure-requests

这似乎是相关的，但仍然非常不同，因为在我的例子中，客户端在请求中发送 header ，而我发现的所有信息都是关于服务器在回应。

---

那么为什么 Chrome (44.0.2403.130 m) 将 Upgrade-Insecure-Requests 添加到我的请求中，它有什么作用？

---

2016-08-24 更新:

此 header 已添加为 W3C Candidate Recommendation现在得到官方认可。

对于刚刚遇到这个问题并感到困惑的人，excellent answer Simon East 对此进行了很好的解释。

Upgrade-Insecure-Requests: 1 header 曾经是 HTTPS: 1 in the previous W3C Working Draft并在更改被正式接受之前被 Chrome 悄悄地重命名。

(此问题是在此过渡期间提出的，当时没有关于此 header 的官方文档，并且 Chrome 是唯一发送此 header 的浏览器。)

Answer 1

简答:它与 Content-Security-Policy: upgrade-insecure-requests 密切相关响应 header ，表明浏览器支持它(实际上更喜欢它)。

我用了 30 分钟的谷歌搜索，但最终发现它被埋没在 W3 规范中。

混淆是因为规范中的 header 是 HTTPS: 1 ，这就是 Chromium 实现它的方式，但是在此之后 broke lots of websites that were poorly coded (特别是 WordPress 和 WooCommerce)Chromium 团队道歉:

"I apologize for the breakage; I apparently underestimated the impact based on the feedback during dev and beta."
— Mike West, in Chrome Issue 501842

他们的解决方法是将其重命名为 Upgrade-Insecure-Requests: 1 ，并且规范已经更新以匹配。

无论如何，这里是the W3 spec (as it appeared at the time)的解释...

The HTTPS HTTP request header field sends a signal to the server expressing the client’s preference for an encrypted and authenticated response, and that it can successfully handle the upgrade-insecure-requests directive in order to make that preference as seamless as possible to provide.

...

When a server encounters this preference in an HTTP request’s headers, it SHOULD redirect the user to a potentially secure representation of the resource being requested.

When a server encounters this preference in an HTTPS request’s headers, it SHOULD include a Strict-Transport-Security header in the response if the request’s host is HSTS-safe or conditionally HSTS-safe [RFC6797].