Allow active mixed content (iframes) with SSL and Content Security Policies

https ssl mixed-content

I've installed a SSL certificate on my server, and I've made it HTTPS. But I need to load existent iframes with embedded content, usually YouTube videos that were saved with HTTP url, but also other content that is not available via HTTPS.

upgrade-insecure-requests is not a suitable solution, since it blocks the passive content if it can't be retrieved with HTTPS, which without defining Content-Security-Policyis not blocked by browsers.

Which policy do I have to define to make the browser not block the active content?


Solution 1:

You can't disable the mixed security check at site level. If browser would allow it, this behavior will provide a false sense of security and defeat the trust on the use of HTTPS.

Some browsers allow the setting to be disabled on per-installation basis. For example, you can disable the check in Firefox by changing the setting

security.mixed_content.block_active_content

in about:config.

Chrome doesn't allow it explicitly, and the only way is to click on load anyway. It is also worth to mention that newer versions of Chrome no longer display a crossed padlock, instead Chrome will essentially downgrade the security of the page to HTTP if you load any HTTP content.

Related

How to restore Mysql database from .frm and .ibd files on localhost
QEMU / KVM - Dedicated 802.1q VLAN for each VM - Communication only via router
Apache 2.2.15 possible security risk?
Show that a limit exists
Maximal ideal space of $c_{\mathcal{U}}$
Example of integration over path on Riemann surface
K-theory for non-separable C*-algebras
Is there an online Q/A forum for the philosophy of mathematical practice?
Nontrivial h-cobordism
how prove the following statment for this matrix.
Exercise on representations
On the convexity of element-wise norm 1 of the inverse