How can I allow Mixed contents (http with https) using content-security-policy meta tag?

by

You can’t.

CSP is there to restrict content on your website, not to loosen browser restrictions.

Secure https sites given users certain guarantees and it’s not really fair to then allow http content to be loaded over it (hence the mixed content warnings) and really not fair if you could hide these warnings without your users consent.

You can use CSP for a couple of things to aid a migration to https, for example:

  1. You can use it to automatically upgrade http request to https (though browser support isn’t universal). This helps in case you missed changing a http link to https equivalent. However this assumes the resource can be loaded over https and sounds like you cannot load them over https so that’s not an option.

  2. You can also use CSP to help you identify any http resources on you site you missed by reporting back a message to a service you can monitor to say a http resource was attempted to be loaded. This allows you identify and fix the http links to https so you don’t have to depend on above automatic upgrade.

But neither is what you are really looking for.

More Related Contents:

  1. Trouble with content security policy
  2. What are these meta tags? [closed]
  3. The Chrome extension popup is not working, click events are not handled
  4. How does Content Security Policy (CSP) work?
  5. Why am I suddenly getting a “Blocked loading mixed active content” issue in Firefox?
  6. What is “X-Content-Type-Options=nosniff”?
  7. Full webpage and disabled zoom viewport meta tag for all mobile browsers
  8. Injecting iframe into page with restrictive Content Security Policy
  9. Auto refresh code in HTML using meta tags
  10. Content Security Policy: The page’s settings blocked the loading of a resource
  11. What is happening when I have two CSP (Content Security Policies) policies – header & meta?
  12. How to use the ‘og’ (Open Graph) meta tag for Facebook share
  13. Console shows error about Content Security policy and lots of failed GET requests
  14. What’s the purpose of the HTML “nonce” attribute for script and style elements?
  15. How to override content security policy while including script in browser JS console?
  16. Content-Security-Policy error in google chrome extension making
  17. Get JSON in a Chrome extension
  18. Why is script-src-elem not using values from script-src as a fallback?
  19. Using attr to set css variable inline that work with CSP
  20. How to redirect one HTML page to another on load
  21. Jenkins Content Security Policy
  22. Allow All Content Security Policy?
  23. Extension refuses to load the script due to Content Security Policy directive
  24. Content Security Policy “data” not working for base64 Images in Chrome 28
  25. Cordova – refuse to execute inline event handler because it violates the following content Security policy
  26. Content Security Policy: “img-src ‘self’ data:”
  27. Google Adwords CSP (content security policy) img-src
  28. How to fix chrome-extension inline JavaScript invocation error?
  29. Compile-time map and inverse map values
  30. GTM not propagating nonce to Custom HTML tags

Leave a Comment