How can I allow Mixed contents (http with https) using content-security-policy meta tag?

Mustafa Dwekat picture Mustafa Dwekat · May 5, 2016 · Viewed 26.2k times · Source

I'm forcing https to access my website, but some of the contents must be loaded over http (for example video contents can not be over https), but the browsers block the request because of mixed-contents policy.

After hours of searching I found that I can use Content-Security-Policy but I have no idea how to allow mixed contents with it.

<meta http-equiv="Content-Security-Policy" content="????">

Answer

Barry Pollard picture Barry Pollard · May 6, 2016

You can't.

CSP is there to restrict content on your website, not to loosen browser restrictions.

Secure https sites given users certain guarantees and it's not really fair to then allow http content to be loaded over it (hence the mixed content warnings) and really not fair if you could hide these warnings without your users consent.

You can use CSP for a couple of things to aid a migration to https, for example:

  1. You can use it to automatically upgrade http request to https (though browser support isn't universal). This helps in case you missed changing a http link to https equivalent. However this assumes the resource can be loaded over https and sounds like you cannot load them over https so that's not an option.

  2. You can also use CSP to help you identify any http resources on you site you missed by reporting back a message to a service you can monitor to say a http resource was attempted to be loaded. This allows you identify and fix the http links to https so you don't have to depend on above automatic upgrade.

But neither is what you are really looking for.