How can I allow Mixed contents (http with https) using content-security-policy meta tag?

Asked 5/5, 2016 at 6:19 Answered 14/6, 2023 at 7:37

Solved meta content-security-policy mixed-content

I'm forcing https to access my website, but some of the contents must be loaded over http (for example video contents can not be over https), but the browsers block the request because of mixed-contents policy.

After hours of searching I found that I can use Content-Security-Policy but I have no idea how to allow mixed contents with it.

<meta http-equiv="Content-Security-Policy" content="????">

Deirdre answered 5/5, 2016 at 6:19 Comment(1)

I have the same problem. I think it's not an issue to provide a way of enabling mixed content server side. The developer can then do checksums on the loaded data to figure out if the content hasn't been tampered with. Just like for example Debian packages are downloaded via HTTP and then checksumed, I don't understand why my CDN has to be HTTPS. The programmer (sometimes) knows what he's doing. – Apollonian 22/11, 2020 at 12:16

You can't.

CSP is there to restrict content on your website, not to loosen browser restrictions.

Secure https sites given users certain guarantees and it's not really fair to then allow http content to be loaded over it (hence the mixed content warnings) and really not fair if you could hide these warnings without your users consent.

You can use CSP for a couple of things to aid a migration to https, for example:

You can use it to automatically upgrade http request to https (though browser support isn't universal). This helps in case you missed changing a http link to https equivalent. However this assumes the resource can be loaded over https and sounds like you cannot load them over https so that's not an option.
You can also use CSP to help you identify any http resources on you site you missed by reporting back a message to a service you can monitor to say a http resource was attempted to be loaded. This allows you identify and fix the http links to https so you don't have to depend on above automatic upgrade.

But neither is what you are really looking for.

Aldrich answered 6/5, 2016 at 20:32 Comment(2)

can the security be loosened via the origin response header? I was looking into the meta tag as it sounded easier to add. – Hirschfeld 9/3, 2017 at 19:7

No. It's only used to tighten security policy - not loosen it. As mentioned in my answer. – Aldrich 9/3, 2017 at 19:21

You shouldn't... but you CAN, the feature is demonstrated here an HTTP PNG image converted on-the-fly to HTTPS.

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

There's also a new permissions API, described here, that allows a Web server to check the user's permissions for features like geolocation, push, notification and Web MIDI.

Leukoderma answered 23/8, 2017 at 14:23 Comment(7)

I have added this in header section of master page but it wont help, is there any IIS Configuration that I supposed to do? coz I heard that chrome wont allow us to convert from HTTP file to HTTPS – Sublimity 28/5, 2019 at 11:2

I don't think it will help in your case, this solution assumes that you already have a valid secured URL with 'https', then this tag will help the browser to automatically call those ulrs will 'https' instead of 'http' without your need to manually change it in your page code, while if you don't have that secured URL, I believe you can this method. – Alcestis 20/11, 2019 at 16:39

Huge -1, cuz upgrade-insecure-requests has nothing to do with allowing mixed content, it just changes request scheme to https, and that's what happening in the attached example, not "conversion on-the-fly to HTTPS" – Maximilianus 14/12, 2020 at 16:24

Irrelevant,OP wanted to know HOW to use the meta tag – Leukoderma 15/12, 2020 at 15:15

no, the question he asked was "How can I allow Mixed contents". that meta tag doesn't allow it. – Blackandblue 1/7, 2021 at 14:12

Yes, It will allow you to use your old urls with your valid SSL – Leukoderma 6/7, 2021 at 17:4

No, that's not allowing mixed content, that's trying to load insecure content via https and only works if the server actually provides the content via https. – Microscopy 26/4, 2023 at 17:40

Although you cannot allow mixed content in the browser, you may be able to wrap the endpoint in a local endpoint that's served over HTTPS. Thus, HTTP/HTTPS mixing occurs backend-to-backend, which is allowed and should be safe enough. The wrapper endpoint could look like this in PHP:

<?php
    $endp = !isset($_GET['endp']) ? '' : $_GET['endp'];
    if ($endp === 'doit') {
        header('Content-Type: application/json');
        echo file_get_contents('http://problematic-server/doit');
    } else {
        echo '{"err":"unsupported-endpoint"}';
    }
// Don't close php tag to avoid unwanted whitespace in response.

In your case with video content, it may not be possible, though.

Chiropractor answered 14/6, 2023 at 7:37 Comment(1)

This is a clever solution, but does mean increased traffic on your server, and if you don't control problematic-server then you open up a number of new potential attack surfaces. Just something to be aware of before using this solution – Intramolecular 21/6, 2023 at 17:17

Recommended topics

Hot tags