Available in Chrome 43+ | View on GitHub | Browse Samples
The "Upgrade Insecure Requests"
Content Security Policy
can be used to automatically upgrade insecure (e.g. http:) requests to
a secure alternative (e.g. https:) before a browser fetches them.
In practice, this helps avoid mixed-content warnings when a page is accessed via
https:, but it contains references to resources using absolute
http: URLs.
Like other Content Security Policies, the recommend approach is to enable it via a HTTP
response header, Content-Security-Policy: upgrade-insecure-requests. However,
if you do not have control over the underlying web server (as is the case in this demo), an
alternative
is to include the
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
tag in your HTML's <head>.
The following image is loaded with an explicit http: URL,
http://googlechrome.github.io/samples/images/touch/chrome-touch-icon-192x192.png.
Because this page has Content-Security-Policy: upgrade-insecure-requests
active, the http: is treated as https:, and no mixed-content
warnings are displayed.
