Add the 'upgrade-insecure-resources' CSP directive, so we can see embedded videos while using HTTPS

upgrade-insecure-requests is a new spec that instructs the browser to upgrade resources (iframes, scripts, images etc) to HTTPS, rather than just blocking them as mixed content.

It can be served either as a content header, or as a meta tag like this:

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

Here is a test page:

If this were applied to, it would allow those of us using Newsblur securely to see previews on the YouTube channel feeds that Samuel Clay has so awesomely set up.

1 Like

Yes Please!

This would be great +1

+1 on this :slight_smile:

Yeah, would love to see that. In Firefox one can allow unsecure content, but this reloads newsblur, and the site is gone. So I switched to http, what a shame.

And worse yet, despite a lot of people asking for it Mozilla is stubbornly refusing to add the option to remember the setting for a site, you have to enable mixed content every time you load the site. I’ve also reverted to HTTP.

This would be fantastic if it was added.

Sure thing, deployed:

1 Like


Track the browser implementations here:





1 Like

I don’t know if it’s related but I’m now seeing lots of broken images in posts. Looking at it, the site is serving them as http but chrome is fetching them as https, but getting certificate errors (it mostly seems to be those using CDNs without the right cert deployed to the CDN nodes themselves).

Anyone else seeing something similar?

Yea, I’m getting this too

Yeah, I’m going to have to take this out, unfortunately. Too many users are complaining about broken images.

Maybe you can try this again in six months as sites get better with this…

I was seeing it when using the non-TLS newsblur site, so I’m not expecting to see content upgraded to HTTPS (because I’ll never see the mixed content warning anyway).

Maybe you can just set the directive if a user visits Newsblur over HTTPS and not HTTP? Add a warning it might cause broken images etc?

Dang! I thought that u-i-r would not affect requests made while connected through http:// …

That does put a damper on things. It might have to stay an opt-in feature.