Home/ Glossary/ block-all-mixed-content CSP Directive

block-all-mixed-content CSP Directive (block-all-mixed-content)

Security Glossary - Security Headers

Definition: The block-all-mixed-content CSP directive prevents the browser from loading any HTTP resources on an HTTPS page, including passive content (images, video) that browsers might normally allow with a warning. This directive has been deprecated in favor of upgrade-insecure-requests, which attempts to upgrade rather than block.

Why You Should Care About block-all-mixed-content

block-all-mixed-content was designed to strictly prevent any mixed content by blocking all HTTP resource loads on HTTPS pages. While this provides strong protection against mixed content attacks, it is more disruptive than upgrade-insecure-requests because it blocks resources rather than trying to load them over HTTPS.

Modern browsers already block active mixed content (scripts, stylesheets) by default. Passive mixed content (images, audio, video) is loaded with a warning. block-all-mixed-content extends the blocking to passive content as well.

This directive is now deprecated in favor of upgrade-insecure-requests, which is both less disruptive (resources still load if the HTTPS version works) and more secure (it does not fall back to HTTP). If you are configuring CSP, use upgrade-insecure-requests instead of block-all-mixed-content.

Testing Your Configuration

A security audit checks your CSP directives. If you have block-all-mixed-content, consider replacing it with upgrade-insecure-requests for better compatibility while maintaining the same security goal.

See how your site handles block-all-mixed-content

Run a Security Audit

Questions and Answers

Is block-all-mixed-content deprecated?
Yes, it is deprecated in favor of upgrade-insecure-requests. Modern browsers treat upgrade-insecure-requests as implying block-all-mixed-content behavior for resources that cannot be upgraded. Use upgrade-insecure-requests instead.
What is the difference between blocking and upgrading mixed content?
Blocking (block-all-mixed-content) prevents HTTP resources from loading at all. Upgrading (upgrade-insecure-requests) attempts to load them over HTTPS. Upgrading is preferred because resources still work if the HTTPS version exists, while blocking breaks them unconditionally.

Learn More

Mixed Content upgrade-insecure-requests CSP Directive Content Security Policy Hypertext Transfer Protocol Secure HTTP Strict Transport Security
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.