Available in Chrome n/a+ | View Source | View on GitHub | Browse Samples
The "Upgrade Insecure Requests" Content Security Policy can be used to automatically upgrade all navigation requests to link to the secure version of the page.
In practice, this is helpful as sites work to implement full https support, but are not ready to deliver with Strict Transport Security headers yet. This will keep users who have already accessed the site securely to remain on the secure sites where applicable.
Like other Content Security Policies, the recommend approach is to enable it via a HTTP
response header, Content-Security-Policy: upgrade-insecure-requests. However,
if you do not have control over the underlying web server (as is the case in this demo), an
alternative
is to include the
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
tag in your HTML's <head>.
The following link explicitly links using http:, URL, http://s3.amazonaws.com/share.sbndev.net/csp/csp-upgrade-insecure-requests-navigation/index.html
Because this page has Content-Security-Policy: upgrade-insecure-requests
active, the http: is treated as https:, and the user is kept on the secure page.
Note: This will only work when the entire domain name (including subdomain) are the same on the page that loaded the link, and the link itself.