Block all mixed content

How do I completely prevent any mixed content from loading?

Current browsers are already blocking active mixed content (scripts). What I really want is to block all of it including images.

Purpose of this is to immediately see every offending image or file as broken, but not as an ambiguous warning in the address bar.

Is there a cross-browser way to do that?

Solution

The standard way to strictly block all mixed content: block-all-mixed-content CSP directive.

In the simplest case if you’re not setting other CSP directives, it requires just sending this header:

Content-Security-Policy: block-all-mixed-content

Since not every browser support this directive, it may be feasible to send an extended header instead:

Content-Security-Policy: img-src https: data:

Other option is to force all plain http requests to go over https:

Content-Security-Policy: upgrade-insecure-requests

AWS ELB -> Backend Server over HTTPS with Self-Signed Certificate
Apache warns that my self-signed certificate is a CA certificate
How to troubleshoot SSL/TLS handshake in Google Chrome browser?
Force my heroku app to use SSL (https)
How to load socketio over https from ssl website?
SSL Key Decryption
I have no idea how to connect server and client with https or wss
Can't Get SSL to Work With NodeJS
If I have already a HTTPS can I use wss, or I need to pay additional fee?
Android library for WSS (Secure Web Socket)
How to run a websocket server on ws and wss at same time that they both communicate or sync data with each other? Or WSS on HTTP and WS on HTTPS?
Node.js + Express.js + Socket.io on port 443 (HTTPS TLS/SSL)
Securing a Socket.IO Websocket and restricting it to a domain
Node wss Websocket works on Desktop, not on Mobile
Websocket - WSS not working on HTTPS in video recording
Secured WebSocket connection not working in FireFox and Chrome in MAC OS?
WebSocket Error in connection establishment: net::ERR_CONNECTION_CLOSED
Launching https on Tomcat Port 8443 - requires the APR/native library which is not available
Apache 308 redirects change the protocal from https to http
Can .NET SslStream AuthenticateAsServer respect client-sent Server Name Indicator?
How can I make git accept a self signed certificate?
Could not establish secure channel for SSL/TLS with authority '*'
How to find out if you're using HTTPS without $_SERVER['HTTPS']
How to use https in Vite with vite-plugin-mkcert?
Trusting all certificates using HttpClient over HTTPS
Configuring https on lighttpd
Not able to access websites when Charles Proxy is opened (Windows 10)
Why are HTTPS response bodies logged as bytes in my MITM proxy script?
Istio Ingress Gateway with TLS termination returning 503 service unavailable
How to deploy a react app in production over https?