有没有办法确定站点是否在 AS3 中启用了 HSTS?
Is there a way to determine if a site is HSTS-enabled in AS3?
当用户访问启用了 HSTS 的网页时,浏览器会检测到这一点,并会记住在将来使用 HTTPS 来请求该站点。有没有办法在 AS3 中请求页面并确定返回的页面是否启用了 HSTS(直接通过 SWF 中的 AS3 或使用 ExternalInterface)?
就像维基百科定义的那样,HSTS (HTTP Strict Transport Security)是一个信息
... is communicated by the server to the user agent via a HTTP response header field named "Strict-Transport-Security".
这里我们可以了解到,此信息只能从 HTTP 响应中获得 headers。对于 Flash,不可能获得 HTTP 响应 headers,不像 AIR 可以使用 HTTPStatusEvent 获得它:
In Flash Player, there is only one type of HTTPStatus event: httpStatus. In the AIR runtime, a FileReference, URLLoader, or URLStream can register to listen for an httpResponseStatus, which includes responseURL and responseHeaders properties. These properties are undefined in a httpStatus event.
对于 javascript(或外部接口,如果需要),要获得 HTTP 响应 headers,您必须使用 AJAX,它只能通过 CORS (Cross-Origin Resource Sharing) Enabled server that enable client-side cross-origin requests, otherwise, you will be blocked by the server and your browser wil show you a pretty "No Access-Control-Allow-Origin ..." error, of course all that using a browser which can do XMLHttpRequests across domains 获得.
结论:无论是否启用HSTS,Flash和javascript(可能在某些启用CORS的情况下)都无法真正获取。
当用户访问启用了 HSTS 的网页时,浏览器会检测到这一点,并会记住在将来使用 HTTPS 来请求该站点。有没有办法在 AS3 中请求页面并确定返回的页面是否启用了 HSTS(直接通过 SWF 中的 AS3 或使用 ExternalInterface)?
就像维基百科定义的那样,HSTS (HTTP Strict Transport Security)是一个信息
... is communicated by the server to the user agent via a HTTP response header field named "Strict-Transport-Security".
这里我们可以了解到,此信息只能从 HTTP 响应中获得 headers。对于 Flash,不可能获得 HTTP 响应 headers,不像 AIR 可以使用 HTTPStatusEvent 获得它:
In Flash Player, there is only one type of HTTPStatus event: httpStatus. In the AIR runtime, a FileReference, URLLoader, or URLStream can register to listen for an httpResponseStatus, which includes responseURL and responseHeaders properties. These properties are undefined in a httpStatus event.
对于 javascript(或外部接口,如果需要),要获得 HTTP 响应 headers,您必须使用 AJAX,它只能通过 CORS (Cross-Origin Resource Sharing) Enabled server that enable client-side cross-origin requests, otherwise, you will be blocked by the server and your browser wil show you a pretty "No Access-Control-Allow-Origin ..." error, of course all that using a browser which can do XMLHttpRequests across domains 获得.
结论:无论是否启用HSTS,Flash和javascript(可能在某些启用CORS的情况下)都无法真正获取。