-
Notifications
You must be signed in to change notification settings - Fork 0
Directive: block all mixed content
Ryan Parman edited this page Jun 14, 2024
·
3 revisions
Caution
Obsolete: This feature is no longer recommended. This directive is marked as obsolete in the specification: all mixed content is now blocked if it can't be autoupgraded. Use upgrade‐insecure‐requests instead. [MIXED-CONTENT-STRICT]
Note
This is an extension to CSP, which is defined in W3C: Mixed Content.
The block-all-mixed-content directive prevents loading any assets over HTTP when the page uses HTTPS.
All mixed content resource requests are blocked, including both active and passive mixed content. This also applies to <iframe> documents, ensuring the entire page is mixed content-free.
It is either on or off. It has no value.
block-all-mixed-content
❌ block-all-mixed-content does not fallback to default-src.
-
CSP-0801 — [ERROR] directive
block-all-mixed-contentis obsolete; useupgrade-insecure-requestsinstead
Content licensed under CC BY-SA.
- 🧪 Experimental, with limited support
⚠️ Important notes on usage- 🚫 Deprecated or obsolete
- base-uri
- block-all-mixed-content 🚫
- child-src
- connect-src
- default-src
- fenced-frame-src 🧪
- font-src
- form-action
- frame-ancestors
- frame-src
- img-src
- manifest-src
- media-src
- navigate-to 🚫
- object-src
- plugin-types 🚫
- prefetch-src 🚫
- referrer 🚫
- report-to 🧪
-
report-uri
⚠️ - require-trusted-types-for 🧪
- sandbox
- script-src-attr
- script-src-elem
- script-src
- style-src-attr
- style-src-elem
- style-src
- trusted-types 🧪
- upgrade-insecure-requests
- webrtc
- worker-src