Mixed Content warning on Chrome due to iframe src

Question

Somewhere in the code, over a secure site, the following snippet is used:

var iframe = document.createElement("IFRAME");
iframe.setAttribute("src", "pugpig://onPageReady");
document.documentElement.appendChild(iframe);
iframe.parentNode.removeChild(iframe);
iframe = null;

The iframe src attribute set here is actually triggering a callback but it's causing Chrome (version 54) to complain about "Mixed Content" as the src attribute is interpreted as a non-https url over an https:// domain and that version of Chrome is not presenting the users with an easy option to allow for mixed content to load anyway (e.g. shield icon in the address bar).

Changing the Chrome version / using a different browser / starting chrome with the --allow-running-insecure-content switch is not an option for certain reasons so my question is, is there a way to make the "pugpig://onPageReady" part be perceived as an https url?

Answer 1

You can try this:-

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests" />

Or

<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content" />

Paste it in <head>...</head> tags.

The HTTP Content-Security-Policy (CSP) block-all-mixed-content directive prevents loading any assets using HTTP when the page is loaded using HTTPS.

All mixed content resource requests are blocked, including both active and passive mixed content. This also applies to <iframe> documents, ensuring the entire page is mixed content free.

The upgrade-insecure-requests directive is evaluated before block-all-mixed-content and If the former is set, the latter is effectively a no-op. It is recommended to set one directive or the other – not both.

Answer 2

As log as i know, no, ther's not. If there is, it can be considered a security flaw, and it will be fixed.

mixed content explaination