block-all-mixed-content
block-all-mixed-content
block-all-mixed-content
The block-all-mixed-content directive prevents the browser from loading any mixed content, ensuring that all resources are loaded over HTTPS.
Tips & Tricks
This directive is deprecated and replaced by the upgrade-insecure-requests directive.
Using this directive may break functionality on pages that rely on HTTP resources. Ensure all resources are available over HTTPS before implementing.
Examples
Block all mixed content
Content-Security-Policy: block-all-mixed-content;Allowed
<img src='https://example.com/image.jpg'>Blocked
<img src='http://example.com/image.jpg'> <!-- Will be blocked -->
Frequently Asked Questions
What is the block-all-mixed-content directive?
The block-all-mixed-content directive prevents browsers from loading any HTTP content when the page is loaded over HTTPS. This ensures that no insecure content can be loaded on your secure pages, helping maintain the security of your site by preventing mixed content vulnerabilities.
Important Note
This directive is now deprecated in modern browsers as they block mixed content by default. Consider using upgrade-insecure-requests instead for better compatibility.
How does block-all-mixed-content work?
When this directive is enabled, the browser will block any attempt to load resources over HTTP on an HTTPS page. This includes all types of resources such as images, scripts, stylesheets, and frames. Unlike upgrade-insecure-requests, it doesn't attempt to upgrade the requests - it simply blocks them.
When should I use block-all-mixed-content?
While this directive is now deprecated, it was historically used when you wanted to ensure absolute security by blocking all mixed content without attempting to upgrade it. Modern browsers now implement this behavior by default, making the directive unnecessary in most cases.
Modern Alternative
For most use cases, upgrade-insecure-requests is now the recommended approach as it provides a more flexible solution by attempting to upgrade insecure requests rather than simply blocking them.
Need to monitor CSP violations and maintain it easily?
Set up a reporting endpoint to monitor Content Security Policy violations in real-time to build and maintain your CSP easily.
Set up your endpoint now