block-all-mixed-content
Content-Security-Policy Other

Overview

block-all-mixed-content is a flag-style directive that blocks all mixed content — passive and active alike — loaded over http on an HTTPS page. It takes no value. However, it is deprecated and superseded by modern browsers' default mixed-content policy.

Details

Older browsers blocked active mixed content (like scripts) but only warned about and allowed passive mixed content (like images and video). block-all-mixed-content was the hard-line measure to block even passive mixed content, eliminating the downgrade attack surface.

Since then, the web platform strengthened its standard to auto-upgrade mixed content to https and block it when upgrading is impossible. As a result this directive is deprecated; the modern approach is upgrade-insecure-requests (upgrade when possible) or relying on the browser's default policy. There is rarely a need to add block-all-mixed-content to new policies.

Syntax

Content-Security-Policy: block-all-mixed-content

Notes

Related directives