1

I've installed a SSL certificate on my server, and I've made it HTTPS. But I need to load existent iframes with embedded content, usually YouTube videos that were saved with HTTP url, but also other content that is not available via HTTPS.

upgrade-insecure-requests is not a suitable solution, since it blocks the passive content if it can't be retrieved with HTTPS, which without defining Content-Security-Policyis not blocked by browsers.

Which policy do I have to define to make the browser not block the active content?

Julen
  • 227

1 Answers1

2

You can't disable the mixed security check at site level. If browser would allow it, this behavior will provide a false sense of security and defeat the trust on the use of HTTPS.

Some browsers allow the setting to be disabled on per-installation basis. For example, you can disable the check in Firefox by changing the setting

security.mixed_content.block_active_content

in about:config.

Chrome doesn't allow it explicitly, and the only way is to click on load anyway. It is also worth to mention that newer versions of Chrome no longer display a crossed padlock, instead Chrome will essentially downgrade the security of the page to HTTP if you load any HTTP content.

Simone Carletti
  • 1,534