Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP: remove obsolete block-all-mixed-content directive #11436

Merged
merged 1 commit into from
Jul 9, 2024
Merged

CSP: remove obsolete block-all-mixed-content directive #11436

merged 1 commit into from
Jul 9, 2024

Conversation

stsewd
Copy link
Member

@stsewd stsewd commented Jun 24, 2024

See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content

This directive is marked as obsolete in the specification. This
directive was previously used to prevent "optionally blockable" mixed
content from being fetched insecurely and displayed. Content that isn't
blocked is now always upgraded to a secure connection, so this directive
is not needed.

@stsewd
CSP: remove obsolete block-all-mixed-content directive
f8fed74 
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content

> This directive is marked as obsolete in the specification. This
> directive was previously used to prevent "optionally blockable" mixed
> content from being fetched insecurely and displayed. Content that isn't
> blocked is now always upgraded to a secure connection, so this directive
> is not needed.
@stsewd stsewd requested a review from a team as a code owner June 24, 2024 20:43
@stsewd stsewd requested a review from humitos June 24, 2024 20:43
@humitos
Copy link
Member

humitos commented Jun 25, 2024

When was this deprecated? I'm concern of some browsers not respecting the new behavior yet if this header is not present.

@stsewd
Copy link
Member Author

stsewd commented Jun 25, 2024

This is an obsolete CSP directive we are removing, this doesn't affect our site at all. Safari doesn't even support it anymore.

@stsewd stsewd merged commit f38c9cc into main Jul 9, 2024
7 checks passed
@stsewd stsewd deleted the remove-deprecated-csp-dir branch July 9, 2024 14:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@humitos humitos humitos approved these changes

Assignees

@stsewd stsewd

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@stsewd @humitos