开发者

Why is a file requested through https after it has already been fetched through http?

I am trying to understand Http/Https a little better and possibly what headers I'm sending clients.

Does the client have to re-fetch the same file under Https when it has already been fetched under Http, or do I need to send special headers?

Well, the reason the file is served over http/https is that it is simply a banner. When the user goes to a secure page, the banner is still in that particular template. Once t开发者_开发百科he user does get the file via Https, the file is cached as expected.

Walter


https is considered a different "domain" from http and so if you send a file to a client over a http connection, then switch to https (even if you don't change anything else) the browser will still request the file again - as if the file wasn't in the cache. It's just like if you requested http://www.example1.com/file.txt and then http://www.example2.com/file.txt the might be the "same" file, but the browser doesn't know and so it's got to fetch it a second time.

Once it's requested it via https, though, it'll cache as normal.


You don't need to fetch the file again (and definitely shouldn't).

HTTPS is HTTP combined with SSL/TLS. It creates a secure connection which can help prevent eavesdropping and man in the middle attacks.

You don't need to fetch it again over a secure channel - the content will be the same whether fetched via an encrypted channel or not.

If you fetch the content for a second time over a secure channel, someone could have still 'listened in' the first time and seen the data you fetched. The act of fetching if the second time is in no way connected to the first time.

If you require the added security of HTTPS, don't fetch the file over non encrypted HTTP at all, as it will not be secure and thus not protected.

There is no need to do an HTTP then HTTPS request, just do one HTTPS.


A website could deliver different versions of a file over HTTP and HTTPS so the browser has to treat them as being separate.

All content is cached by URL. Since the URL contains the protocol, there will be separate cache entries for the HTTP and HTTPS version of a file.

The way to avoid this is to always deliver the HTTPS version of a file. You can't use the HTTP version of a secure page or you run into IE's dreaded mixed content warning:

http://blog.httpwatch.com/2009/04/23/fixing-the-ie-8-warning-do-you-want-to-view-only-the-webpage-content-that-was-delivered-securely/

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜