How do I completely prevent any mixed content from loading?
Current browsers are already blocking active mixed content (scripts). What I really want is to block all of it including images.
Purpose of this is to immediately see every offending image or file as broken, but not as an ambiguous warning in the address bar.
Is there a cross-browser way to do that?
The standard way to strictly block all mixed content: block-all-mixed-content
CSP directive.
In the simplest case if you’re not setting other CSP directives, it requires just sending this header:
Content-Security-Policy: block-all-mixed-content
Since not every browser support this directive, it may be feasible to send an extended header instead:
Content-Security-Policy: img-src https: data:
Other option is to force all plain http requests to go over https:
Content-Security-Policy: upgrade-insecure-requests
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With