这个问题在这里已经有了答案:
Mixed-content request from HTTPS page to HTTP (non-HTTPS) localhost address not blocked
(1 个回答)
去年关闭。
我发出一个 HTTP 请求:
fetch('http://localhost:8090').then(...)
它有效。
Chrome (v89.0.4389.90) 和 Firefox (v86.0.1) 中没有“混合内容”错误。只有 Safari 会阻止该请求。但是,对 192.168.1.x 的请求会触发“混合内容”错误。
localhost 是否在 Chrome 和 Firefox 中明确列入白名单?还是浏览器 vendor 计划在某个时候也被“混合内容”阻止?
例如,可以依靠它来控制绑定(bind)到 localhost 并提供 HTTP API 的本地应用程序吗?
最佳答案
来自 MDN
Browsers may allow locally-delivered mixed resources to be loaded. This includes file: URLs and content accessed from loopback addresses (e.g. http://127.0.0.1/).
- Firefox 55 and later allow loading of mixed content on the loopback address http://127.0.0.1/ (see bug 903966),
- Firefox 84 and later allow loading of mixed content on http://localhost/ and http://*.localhost/ URLs, as these are now mapped to loopback addresses (see bug 1220810).
- Chrome also allows mixed content on http://127.0.0.1/ and http://localhost/.
- Safari does not allow any mixed content.
两个
127.0.0.1
和 localhost
被认为是潜在可信的,因此浏览器可以决定结果。https://w3c.github.io/webappsec-secure-contexts/#potentially-trustworthy-origin
Safari 的行为看起来像一个错误,将来可能会改变。在此处查看讨论 Don't treat loopback addresses as mixed content
关于javascript - 从 HTTPS 网页访问的 localhost HTTP。为什么没有 "Mixed Content"错误?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/66689081/