Content-Security-Policy


“Mixed content blocked” when running an HTTP AJAX operation on an HTTPS page

Recently, we got a peculiar error on an HTTPS website while making Ajax requests.
Even though the website was full HTTPS, the Ajax request using a relative path was getting the “Mixed content blocked” error message.
To resolve this issue fast (without messing with the Javascript code), we added the following meta tag in the website’s header.

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">