Block all mixed content

2019-05-06 10:13发布

问题:

How do I completely prevent any mixed content from loading?

Current browsers are already blocking active mixed content (scripts). What I really want is to block all of it including images.

Purpose of this is to immediately see every offending image or file as broken, but not as an ambiguous warning in the address bar.

Is there a cross-browser way to do that?

回答1:

The standard way to strictly block all mixed content: block-all-mixed-content CSP directive.

In the simplest case if you’re not setting other CSP directives, it requires just sending this header:

Content-Security-Policy: block-all-mixed-content

Since not every browser support this directive, it may be feasible to send an extended header instead:

Content-Security-Policy: img-src https: data:

Other option is to force all plain http requests to go over https:

Content-Security-Policy: upgrade-insecure-requests