I've installed a SSL certificate on my server, and I've made it HTTPS. But I need to load existent iframes with embedded content, usually YouTube videos that were saved with HTTP url, but also other content that is not available via HTTPS.
upgrade-insecure-requests is not a suitable solution, since it blocks the passive content if it can't be retrieved with HTTPS, which without defining Content-Security-Policyis not blocked by browsers.
Which policy do I have to define to make the browser not block the active content?
Best Answer
You can't disable the mixed security check at site level. If browser would allow it, this behavior will provide a false sense of security and defeat the trust on the use of HTTPS.
Some browsers allow the setting to be disabled on per-installation basis. For example, you can disable the check in Firefox by changing the setting
in
about:config.Chrome doesn't allow it explicitly, and the only way is to click on load anyway. It is also worth to mention that newer versions of Chrome no longer display a crossed padlock, instead Chrome will essentially downgrade the security of the page to HTTP if you load any HTTP content.