{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 我欲成王,谁敢阻挡 的问题《http to https - Make browser request corresponding》','https://www.manongdao.com/q-849329.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am interested in switching my entire site from http over to https.
My concern is that I have some content that uses absolute http URLs.
I will need to edit each page in order to change those URLs to relative but that might take me a while to accomplish.
What I would like to know is if there is a way to use Javascript via the Google Tag Manager in order to re-write local absolute URLs to be HTTPS and not HTTP?
If this is possible, could it be used as a permanent solution?
By the time the JavaScript is executed, the problematic resources may already be loading over even loaded.
You can simply search through your code for any instances of
http://and replace those with//or relative URLs.If your content is more complex (say, distributed over multiple machines), you can use a mirroring script (like
wget --mirror http://example.net/) to download a static version of your entire page, and search that.Then, set up HTTPS (first for you only, then for all your testers) and check that everything works fine. Once you are sure that is the case, allow everyone to come over HTTPS. Finally, a bit later, consider redirecting HTTP to HTTPS and implementing secure cookies, HSTS and HPKP.
One solution to consider is the Content Security Policy
upgrade-insecure-requestsdirective.It’d amount to configuring your Web server so all pages on your site get served with this header:
So the effect of adding that header would be: for any page at your site served with an
httpsURL, any time a browser sees in one of those pages anhttpURL for an embedded (sub)resource —whether it be a URL for a stylesheet, script, image, video, or whatever—the browser will automatically (transparently) try to fetch the resource from the correspondinghttpsURL instead.For more details, you can see the Upgrade Insecure Requests spec.
2018-05-11 update
The
upgrade-insecure-requestsdirective is now supported in all major browser engines (including Edge 17+ and Safari 10.3+):https://caniuse.com/#feat=upgradeinsecurerequests
The downside of using it now is, so far it’s only supported in Firefox (since Firefox 42) and Chrome. But it also:P.S., I work at the W3C, where we recently (finally) enabled TLS/https access to all W3C site resources—and since the W3C has hundreds of thousands (maybe millions) of pages with
httpURLs for embedded subresources, the way we were able to make it happen was in part by serving theContent-Security-Policy: upgrade-insecure-requestsheader across the entire site.The article Supporting HTTPS and HSTS on w3.org gives more info about the deployment details.