Revert from Secure to Mixed Content because of a redirect, in spite of `upgrade-insecure-requests` Content-Security-Policy directive

Un jeu d'échec avant le début d'un partie. Zoom sur les noirs.

The upgrade-insecure-requests directive is evaluated before block-all-mixed-content and if it is set, the latter is effectively a no-op because upgrade-insecure-requests should upgrade all requests to HTTPS.

Unfortunately, Chrome <= 68 doesn't implement upgrade-insecure-requests properly and if it requests an HTTPS resource redirecting to an HTTP resource, it won't force this new request to HTTPS, creating a mixed-content context.

Mixed Content in Chrome 68 (fr)

The bug is known.

Revert from Secure to Mixed Content because of a redirect, in spite of upgrade-insecure-requests Content-Security-Policy directive

Revert from Secure to Mixed Content because of a redirect, in spite of `upgrade-insecure-requests` Content-Security-Policy directive