Block Mixed Content in plugins


1 post in this topic Last Reply

Recommended Posts

From the 6.8.0-rc1 release notes:


webgui: If a page is loaded via https, prevent it from loading resources via http (ie, block mixed content)


Hi plugin authors,


Unraid 6.8 includes a Content Security Policy metatag that blocks mixed content from loading:

<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">

This means if the page is loaded over https and you try to include an http image/JS/CSS file, that resource will not load.  It has no effect on pages that are loaded by http.  More info here: 


Refusing to load http content helps prevent man-in-the-middle attacks and ISP snooping. 


Anyway, if your plugin has issues loading content in 6.8, check to see whether the content is being loaded over regular http and change it to https.


Also, if your plugin creates any popup dialog boxes of its own, please ensure they include both of these metatags:

<meta name="robots" content="noindex, nofollow">
<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">

The first will keep well-behaved search engines from indexing the popup (although it is now somewhat redundant with the robots.txt file).  And the second ensures that mixed content is not allowed on your popup.


There should be no ill effects if a plugin implements this and it is installed on an earlier version of Unraid.


Here is the relevant PR showing the changes that were needed to implement this in the webgui: 

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.