Allow active mixed content (iframes) with SSL and Content Security Policies

Question

I've installed a SSL certificate on my server, and I've made it HTTPS. But I need to load existent iframes with embedded content, usually YouTube videos that were saved with HTTP url, but also other content that is not available via HTTPS.

upgrade-insecure-requests is not a suitable solution, since it blocks the passive content if it can't be retrieved with HTTPS, which without defining Content-Security-Policyis not blocked by browsers.

Which policy do I have to define to make the browser not block the active content?

Yes, but I have other mixed content that is not available via HTTPS, which I also have to load. — Julen, Jan 20 '16 at 19:10
CSP is about restricting the content compared to the default policy, not to loosen the policy. — Steffen Ullrich, Jan 20 '16 at 22:03

score 2 · Answer 1 · answered Jan 28 '16 at 11:57

You can't disable the mixed security check at site level. If browser would allow it, this behavior will provide a false sense of security and defeat the trust on the use of HTTPS.

Some browsers allow the setting to be disabled on per-installation basis. For example, you can disable the check in Firefox by changing the setting

security.mixed_content.block_active_content

in about:config.

Chrome doesn't allow it explicitly, and the only way is to click on load anyway. It is also worth to mention that newer versions of Chrome no longer display a crossed padlock, instead Chrome will essentially downgrade the security of the page to HTTP if you load any HTTP content.

Allow active mixed content (iframes) with SSL and Content Security Policies

1 Answers1