Upgrade insecure requests

We encourage authors to transition their sites and applications away from insecure transport, and onto encrypted and authenticated connections, but mixed content checking causes headaches. This feature allows authors to ask the user agent to transparently upgrade HTTP resources to HTTPS to ease the migration burden.

Demo

• https://github.com/GoogleChrome/samples/tree/gh-pages/csp-upgrade-insecure-requests

Documentation

• https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives#upgrade-insecure-requests

Specification

Working draft or equivalent

Status in Chromium

Blink components: Blink

Enabled by default (tracking bug) in:

• Chrome for desktop release 43
• Chrome for Android release 43
• Android WebView release 43

Consensus & Standardization

• Firefox: Shipped
• Edge: In development
• Safari: Shipped
• Web Developers: Positive

Owner

• mkwst@chromium.org

Last updated on 2018-04-26