Block all mixed content

How do I completely prevent any mixed content from loading?

Current browsers are already blocking active mixed content (scripts). What I really want is to block all of it including images.

Purpose of this is to immediately see every offending image or file as broken, but not as an ambiguous warning in the address bar.

Is there a cross-browser way to do that?

The standard way to strictly block all mixed content: block-all-mixed-content CSP directive.

In the simplest case if you’re not setting other CSP directives, it requires just sending this header:

Content-Security-Policy: block-all-mixed-content

Since not every browser support this directive, it may be feasible to send an extended header instead:

Content-Security-Policy: img-src https: data:

Other option is to force all plain http requests to go over https:

Content-Security-Policy: upgrade-insecure-requests

来源：https://stackoverflow.com/questions/38176441/block-all-mixed-content

标签

易学教程内所有资源均来自网络或用户发布的内容，如有违反法律规定的内容欢迎反馈！
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!