Mixed Content The page at was loaded over HTTPS but requested an insecure resource This request has been blocked the content must be served over HTTPS

Asked 30/5, 2021 at 19:50 Answered 12/12, 2023 at 10:17

Solved javascript xmlhttprequest resources mixed

Mixed Content: The page at '' was loaded over HTTPS, but requested an insecure resource ''. This request has been blocked; the content must be served over HTTPS.

Lull answered 30/5, 2021 at 19:50 Comment(0)

There's no way to disable mixed content using javascript but you can add this tag

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

to your HTML to allow mixed content

Lull answered 30/5, 2021 at 19:50 Comment(1)

This does not appear to have any effect on the current version of Chrome. See my answer below on the Chrome flag. – Yoong 16/8, 2023 at 18:57

to allow Mixed Content:
1- add this meta tag to the page (HTML File)

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

2- add unsafe_url for referrerPolicy to your fetch requests if you get ERR_CONNECTION_REFUSED
example:

fetch('http://URL', {
    // ...
    referrerPolicy: "unsafe-url" 
});

Warning: This policy will leak potentially-private information from HTTPS resource URLs to insecure origins. Carefully consider the impact of this setting.

for more info check these 2 documentations:

Castalia answered 22/8, 2022 at 10:14 Comment(4)

referrerPolicy: "unsafe_url" does not appear to have any effect in Chrome. – Yoong 15/8, 2023 at 22:2

Neither of these appear to have any effect in Chrome. – Yoong 16/8, 2023 at 18:57

Correct value is "unsafe-url" (with dash). MDN says it fully supported in Chrome. – Catalinacatalo 14/5 at 12:0

Note that the "unsafe-url" policy only allows the browser to send the request, it does NOT allow the browser to use the content that is returned. From the MDN doc: "Send the origin, path, and query string when performing any request, regardless of security." And the example they give shows both URLs with HTTPS protocol. – Yoong 19/7 at 23:8

In Chrome, you can treat a url as safe via this flag:

chrome://flags/#unsafely-treat-insecure-origin-as-secure

You can enter multiple protocol and urls, even using local IP addresses in a comma delimited list. E.g. http://192.168.1.142, ws://192.168.1.142

Problems: 1. Requires trust or knowledge on part of the user (browser starts with a warning message about degraded functionality), 2. Chrome specific. 3. Slightly reduces security.

Yoong answered 15/8, 2023 at 21:54 Comment(1)

But we can't tell all our site visitors to change Chrome flags – Afc 18/7 at 9:44

Add below to .htaccess

Header add Content-Security-Policy "upgrade-insecure-requests"

This will let the browser try to load HTTP content on the HTTPS page in HTTPS.

Soundless answered 27/2, 2023 at 0:19 Comment(3)

This answer solved my issue but , can you explain how this happened. Page worked fine for like 1 month and then suddenly this morning this happened – Mcauliffe 20/4, 2023 at 11:49

@AnelHodžić Probably because the browser updated and the new version started enforcing mixed content errors. – Yoong 15/8, 2023 at 22:16

This does not appear to have any effect in Chrome – Yoong 16/8, 2023 at 18:56

I had a similar problem with HTTPS page requesting detecting Ajax folder existence https://domanin.name/folder get mix-content with 301 redirect error with header location changed to http: works fine with https://domanin.name/folder/ if you don't use / end of the file server redirect destination with adding / but why http: instead https: strange behavior!

Odont answered 12/12, 2023 at 10:17 Comment(0)

Recommended topics

Hot tags