This rule is deprecated, and will eventually be removed.

Websites served over HTTPS can still load resources over unencrypted HTTP, creating mixed-content vulnerabilities.

Why is this an issue?

Mixed-content occurs when a website accessed with HTTPS loads resources over plain HTTP. These unencrypted resources are exposed to man-in-the-middle attacks, undermining the protection that HTTPS provides. This rule raises an issue when a Content Security Policy is configured without the blockAllMixedContent directive.

What is the potential impact?

Data integrity and confidentiality

Passive mixed-content, such as images loaded over HTTP, can be intercepted and replaced by an attacker, enabling phishing attacks. Active mixed-content, such as scripts loaded over HTTP, allows an attacker to inject malicious code that can compromise the entire website, access the DOM, and steal cookies.

How to fix it

Code examples

When using the helmet or helmet-csp middleware in an Express.js application, the Content Security Policy should include the blockAllMixedContent directive to prevent the browser from loading any HTTP resources on an HTTPS page.

Noncompliant code example

const express = require('express');
const helmet = require('helmet');

let app = express();

app.use(
  helmet.contentSecurityPolicy({
    directives: {
      "default-src": ["'self'", 'example.com', 'code.jquery.com']
    } // Noncompliant: blockAllMixedContent directive is missing
  })
);

Compliant solution

const express = require('express');
const helmet = require('helmet');

let app = express();

app.use(
  helmet.contentSecurityPolicy({
    directives: {
      "default-src": ["'self'", 'example.com', 'code.jquery.com'],
      blockAllMixedContent: []
    }
  })
);