Enable mixed content loading in latest Chrome and firefox with http headers

Question

I have a website that has to be served under HTTPS

However, there is a section of the site that displays BBC news stories within an iframe which is in a popup window. Here the content is not shown as both browsers say the BBC content is insecure (i.e.mixed content).

I have tried setting the header Content-Security-Policy: to

"default-src 'self' *.my_domian.net http://*.my_domian.net http://*.bbc.co.uk *.fonts.com 'unsafe-inline' 'unsafe-eval';"

Which has an effect on other content so it is working. I have also checked the headers are sent.

However, both Chrome and Firefox continue to tell me the BBC content is insecure and it isn't shown in the iframe.

Is it possible to allow content from bbc.co.uk on a secure site ? Have I miss understood the purpose of Content-Security-Policy ?

I have also tried frame-src in the header with no luck.

Thanks

http://stackoverflow.com/questions/27148944/mixed-content-in-chrome-and-ie/27444591#27444591 — vtortola, Dec 12 '14 at 14:55

score 0 · Answer 1 · answered Feb 26 '16 at 17:10

CSP level 2 is already being applied in Chrome, and level 2 has additional frame handling.

see here: https://www.w3.org/TR/CSP2/#directive-frame-ancestors and here: https://www.w3.org/TR/CSP2/#directive-frame-src

frame-src is being deprecated, user frame-ancestors

Enable mixed content loading in latest Chrome and firefox with http headers

1 Answers1