Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can I allow Mixed contents (http with https) using content-security-policy meta tag?

Tags:

I'm forcing https to access my website, but some of the contents must be loaded over http (for example video contents can not be over https), but the browsers block the request because of mixed-contents policy.

After hours of searching I found that I can use Content-Security-Policy but I have no idea how to allow mixed contents with it.

<meta http-equiv="Content-Security-Policy" content="????"> 
like image 301
Mustafa Dwekat Avatar asked May 05 '16 06:05

Mustafa Dwekat


People also ask

Was loaded over HTTPS but requested an insecure frame HTTP?

You are trying to access via "http" on a "https" site, its best to use "https" content. You shouldn't access insecure data on a secure channel. Sometimes just use 'http' instead of 'https' can solve this issue.


1 Answers

You can't.

CSP is there to restrict content on your website, not to loosen browser restrictions.

Secure https sites given users certain guarantees and it's not really fair to then allow http content to be loaded over it (hence the mixed content warnings) and really not fair if you could hide these warnings without your users consent.

You can use CSP for a couple of things to aid a migration to https, for example:

  1. You can use it to automatically upgrade http request to https (though browser support isn't universal). This helps in case you missed changing a http link to https equivalent. However this assumes the resource can be loaded over https and sounds like you cannot load them over https so that's not an option.

  2. You can also use CSP to help you identify any http resources on you site you missed by reporting back a message to a service you can monitor to say a http resource was attempted to be loaded. This allows you identify and fix the http links to https so you don't have to depend on above automatic upgrade.

But neither is what you are really looking for.

like image 71
Barry Pollard Avatar answered Sep 18 '22 15:09

Barry Pollard