Available in Chrome 43+ | View on GitHub | Browse Samples
The "Upgrade Insecure Requests"
Content Security Policy
can be used to automatically upgrade insecure (e.g.
http:) requests to
a secure alternative (e.g.
https:) before a browser fetches them.
In practice, this helps avoid mixed-content warnings when a page is accessed via
https:, but it contains references to resources using absolute
Like other Content Security Policies, the recommend approach is to enable it via a HTTP
Content-Security-Policy: upgrade-insecure-requests. However,
if you do not have control over the underlying web server (as is the case in this demo), an
is to include the
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
tag in your HTML's
The following image is loaded with an explicit
Because this page has
http: is treated as
https:, and no mixed-content
warnings are displayed.