Upgrade Insecure Requests Sample

Available in Chrome 43+ | View on GitHub | Browse Samples

Background

The "Upgrade Insecure Requests" Content Security Policy can be used to automatically upgrade insecure (e.g. http:) requests to a secure alternative (e.g. https:) before a browser fetches them.

In practice, this helps avoid mixed-content warnings when a page is accessed via https:, but it contains references to resources using absolute http: URLs.

Like other Content Security Policies, the recommend approach is to enable it via a HTTP response header, Content-Security-Policy: upgrade-insecure-requests. However, if you do not have control over the underlying web server (as is the case in this demo), an alternative is to include the <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests"> tag in your HTML's <head>.

The following image is loaded with an explicit http: URL, http://googlechrome.github.io/samples/images/touch/chrome-touch-icon-192x192.png. Because this page has Content-Security-Policy: upgrade-insecure-requests active, the http: is treated as https:, and no mixed-content warnings are displayed.