I have a site that is loaded over secure connection (https://). I have a href to http:// that downloads a file. I want to use the mixed content solution here(I know I should do https:// but for now I want to use http://). So for the fix I added <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests"> to the head. For some reason I still get the Mixed Content error in google chrome. My current chrome version is 88.
From MDN:
The HTTP
Content-Security-Policy(CSP)upgrade-insecure-requestsdirective instructs user agents to treat all of a site's insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS).
That directive does not allow mixed content. It just treats all http: links as if they were https: links (e.g. if a link which points to http://google.com/ is clicked, the browser navigates to https://google.com/). The only ways (AFAIK) to allow mixed content are to either: