chrome 由于 HSTS 不断重定向
chrome keeps redirecting because of HSTS
我在 /etc/nginx/sites-available/default 中实现了一个像这样的简单静态服务器,它将提供一堆文件
server {
listen 80;
server_name www.x.app x.app;
root /usr/share/app/front-end/build;
location / {
index index.html;
autoindex on;
autoindex_exact_size off;
}
}
但是当我浏览 http://www.x.app will immediately get redirected to https://www.x.app 但我想作为 http 浏览时,我搜索了很多并找出 chrome 得到的 Non-Authoritative-Reason: HSTS header(那将使用 307 Internal Redirect 重定向我)由于“HSTS”而发生安全
答案说在 NginX 配置中使用 add_header Strict-Transport-Security "max-age=0"; 但它不起作用
P.S.1:我清除了我的 chrome 缓存,但也不起作用
P.S.2:
正在 chrome 中查询 HSTS/PKP 域:
Found:
static_sts_domain: app
static_upgrade_mode: FORCE_HTTPS
static_sts_include_subdomains: true
static_sts_observed: 1613773712
static_pkp_domain:
static_pkp_include_subdomains:
static_pkp_observed:
static_spki_hashes:
dynamic_sts_domain:
dynamic_upgrade_mode: UNKNOWN
dynamic_sts_include_subdomains:
dynamic_sts_observed:
dynamic_sts_expiry:
当 Google 推出 .app 顶级域时,他们宣布它将仅通过 HTTPS 提供,因为它将在 Chrome(和其他浏览器)的代码中预加载 HSTS,而不是而不是依赖于在其网络服务器中对其进行配置的网站 a:
https://blog.google/technology/developers/introducing-app-more-secure-home-apps-web/
A key benefit of the .app domain is that security is built in—for you and your users. The big difference is that HTTPS is required to connect to all .app websites, helping protect against ad malware and tracking injection by ISPs, in addition to safeguarding against spying on open WiFi networks. Because .app will be the first TLD with enforced security made available for general registration, it’s helping move the web to an HTTPS-everywhere future in a big way.
所以如果您不想使用HTTPS,您需要使用其他域名。请注意,.dev 处于相同的情况。
我在 /etc/nginx/sites-available/default 中实现了一个像这样的简单静态服务器,它将提供一堆文件
server {
listen 80;
server_name www.x.app x.app;
root /usr/share/app/front-end/build;
location / {
index index.html;
autoindex on;
autoindex_exact_size off;
}
}
但是当我浏览 http://www.x.app will immediately get redirected to https://www.x.app 但我想作为 http 浏览时,我搜索了很多并找出 chrome 得到的 Non-Authoritative-Reason: HSTS header(那将使用 307 Internal Redirect 重定向我)由于“HSTS”而发生安全
答案说在 NginX 配置中使用 add_header Strict-Transport-Security "max-age=0"; 但它不起作用
P.S.1:我清除了我的 chrome 缓存,但也不起作用
P.S.2:
正在 chrome 中查询 HSTS/PKP 域:
Found:
static_sts_domain: app
static_upgrade_mode: FORCE_HTTPS
static_sts_include_subdomains: true
static_sts_observed: 1613773712
static_pkp_domain:
static_pkp_include_subdomains:
static_pkp_observed:
static_spki_hashes:
dynamic_sts_domain:
dynamic_upgrade_mode: UNKNOWN
dynamic_sts_include_subdomains:
dynamic_sts_observed:
dynamic_sts_expiry:
当 Google 推出 .app 顶级域时,他们宣布它将仅通过 HTTPS 提供,因为它将在 Chrome(和其他浏览器)的代码中预加载 HSTS,而不是而不是依赖于在其网络服务器中对其进行配置的网站 a:
https://blog.google/technology/developers/introducing-app-more-secure-home-apps-web/
A key benefit of the .app domain is that security is built in—for you and your users. The big difference is that HTTPS is required to connect to all .app websites, helping protect against ad malware and tracking injection by ISPs, in addition to safeguarding against spying on open WiFi networks. Because .app will be the first TLD with enforced security made available for general registration, it’s helping move the web to an HTTPS-everywhere future in a big way.
所以如果您不想使用HTTPS,您需要使用其他域名。请注意,.dev 处于相同的情况。