Add the `upgrade-insecure-resources` CSP directive, so we can see embedded videos while using HTTPS

  • 7
  • Idea
  • Updated 5 years ago
upgrade-insecure-requests is a new spec that instructs the browser to upgrade resources (iframes, scripts, images etc) to HTTPS, rather than just blocking them as mixed content.

It can be served either as a content header, or as a meta tag like this:
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
Here is a test page: https://googlechrome.github.io/samples/csp-upgrade-insecure-requests/index.html

If this were applied to https://www.newsblur.com/, it would allow those of us using Newsblur securely to see previews on the YouTube channel feeds that Samuel Clay has so awesomely set up.
Photo of RethorykeEpicaridan

RethorykeEpicaridan

  • 30 Posts
  • 14 Reply Likes
  • preview-deprived

Posted 5 years ago

  • 7
Photo of satmandu

satmandu

  • 27 Posts
  • 1 Reply Like
Yes Please!
Photo of Calum Halpin

Calum Halpin

  • 4 Posts
  • 2 Reply Likes
This would be great +1
Photo of Splike

Splike

  • 136 Posts
  • 16 Reply Likes
+1 on this :)
Photo of Sternenstaub

Sternenstaub

  • 108 Posts
  • 12 Reply Likes
Yeah, would love to see that. In Firefox one can allow unsecure content, but this reloads newsblur, and the site is gone. So I switched to http, what a shame.
Photo of Hampus

Hampus

  • 212 Posts
  • 31 Reply Likes
And worse yet, despite a lot of people asking for it Mozilla is stubbornly refusing to add the option to remember the setting for a site, you have to enable mixed content every time you load the site. I've also reverted to HTTP.

This would be fantastic if it was added.
Photo of Samuel Clay

Samuel Clay, Official Rep

  • 6514 Posts
  • 1474 Reply Likes
Photo of RethorykeEpicaridan

RethorykeEpicaridan

  • 30 Posts
  • 14 Reply Likes
Noice!
Photo of Alex Lomas

Alex Lomas

  • 3 Posts
  • 0 Reply Likes
I don't know if it's related but I'm now seeing lots of broken images in posts. Looking at it, the site is serving them as http but chrome is fetching them as https, but getting certificate errors (it mostly seems to be those using CDNs without the right cert deployed to the CDN nodes themselves).

Anyone else seeing something similar?
Photo of jason

jason

  • 76 Posts
  • 7 Reply Likes
Yea, I'm getting this too
Photo of RethorykeEpicaridan

RethorykeEpicaridan

  • 30 Posts
  • 14 Reply Likes
Photo of Samuel Clay

Samuel Clay, Official Rep

  • 6514 Posts
  • 1474 Reply Likes
Yeah, I'm going to have to take this out, unfortunately. Too many users are complaining about broken images.
Photo of Alex Lomas

Alex Lomas

  • 3 Posts
  • 0 Reply Likes
I was seeing it when using the non-TLS newsblur site, so I'm not expecting to see content upgraded to HTTPS (because I'll never see the mixed content warning anyway).

Maybe you can just set the directive if a user visits Newsblur over HTTPS and not HTTP? Add a warning it might cause broken images etc?
Photo of RethorykeEpicaridan

RethorykeEpicaridan

  • 30 Posts
  • 14 Reply Likes
Dang! I thought that u-i-r would not affect requests made while connected through http:// ...

That does put a damper on things. It might have to stay an opt-in feature.
Photo of satmandu

satmandu

  • 27 Posts
  • 1 Reply Like
Maybe you can try this again in six months as sites get better with this...