upgrade-insecure-requests is a new spec that instructs the browser to upgrade resources (iframes, scripts, images etc) to HTTPS, rather than just blocking them as mixed content.
It can be served either as a content header, or as a meta tag like this:
If this were applied to https://www.newsblur.com/, it would allow those of us using Newsblur securely to see previews on the YouTube channel feeds that Samuel Clay has so awesomely set up.
Yeah, would love to see that. In Firefox one can allow unsecure content, but this reloads newsblur, and the site is gone. So I switched to http, what a shame.
And worse yet, despite a lot of people asking for it Mozilla is stubbornly refusing to add the option to remember the setting for a site, you have to enable mixed content every time you load the site. I’ve also reverted to HTTP.
I don’t know if it’s related but I’m now seeing lots of broken images in posts. Looking at it, the site is serving them as http but chrome is fetching them as https, but getting certificate errors (it mostly seems to be those using CDNs without the right cert deployed to the CDN nodes themselves).
I was seeing it when using the non-TLS newsblur site, so I’m not expecting to see content upgraded to HTTPS (because I’ll never see the mixed content warning anyway).
Maybe you can just set the directive if a user visits Newsblur over HTTPS and not HTTP? Add a warning it might cause broken images etc?
