upgrade insecure requests?

[Malvoz]

Future-proof potential issues with HTTP links by setting upgrade-insecure-requests through CSP's <meta> element delivery method as proposed in https://github.com/Maps4HTML/HTML-Map-Element-UseCases-Requirements/issues/126#issuecomment-524376011.

For links to third-parties; only "non-navigational upgrades" are applied (e.g. upgrade a script from http to https). But "navigational upgrades" aren't applied (meaning if we link to an external website using <a href="http://..."> it wont be upgraded to https).

non-navigational upgrades:

This automatically upgrades all insecure resource requests from their pages to secure variants, allowing a user agent to treat the following HTML code:

<img src="http://example.com/image.png">
<img src="http://not-example.com/image.png">

as though it had been delivered as:

<img src="https://example.com/image.png">
<img src="https://not-example.com/image.png">

navigational upgrades: This allows user agents to treat the following HTML code:

<a href="http://example.com/">Home</a>

as though it had been delivered as:

<a href="https://example.com/">Home</a>

Links to third-party sites will not be upgraded. That is, the following HTML code:

`<a href="http://not-example.com/">Home</a>

won’t be upgraded.

[AmeliaBR]

Thanks Malvoz. I hadn't even considered the possibility of being able to enforce CSP using meta tags. Hopefully we won't need it, but no harm having extra defence.