不换https,使用CSP(Content-Security-Policy)解决/缓解运营商dns劫持问题

The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS).

For more information, see also this article on Content Security Policy (CSP).

Header type Response header
Forbidden header name no

Syntax

Content-Security-Policy: <policy-directive>; <policy-directive>

Directives

Fetch directives

Fetch directives control locations from which certain resource types may be loaded.

and