For links to third-parties; only "non-navigational upgrades" are applied (e.g. upgrade a script from http to https). But "navigational upgrades" aren't applied (meaning if we link to an external website using <a href="http://..."> it wont be upgraded to https).
This automatically upgrades all insecure resource requests from their pages to secure variants, allowing a user agent to treat the following HTML code:
Thanks Malvoz. I hadn't even considered the possibility of being able to enforce CSP using meta tags. Hopefully we won't need it, but no harm having extra defence.
Future-proof potential issues with HTTP links by setting
upgrade-insecure-requests
through CSP's<meta>
element delivery method as proposed in https://github.com/Maps4HTML/HTML-Map-Element-UseCases-Requirements/issues/126#issuecomment-524376011.For links to third-parties; only "non-navigational upgrades" are applied (e.g. upgrade a script from http to https). But "navigational upgrades" aren't applied (meaning if we link to an external website using
<a href="http://...">
it wont be upgraded to https).non-navigational upgrades: