Go to Mediavine
All Collections
Advanced
SSL / HTTPS
HTTPS: Upgrading your CSP to Block-All-Mixed-Content from Upgrade-Insecure-Requests

HTTPS: Upgrading your CSP to Block-All-Mixed-Content from Upgrade-Insecure-Requests

When your site is SSL, you need a CSP. We're now recommending the block-all version of the CSP.
Nicole Johnson avatar
Written by Nicole Johnson. Updated over a week ago

This help page is going to walk you through upgrading your current CSP from the upgrade-insecure version to the block-all version, why you need to do this, and what you need to know before you make the switch. 

First - let's discuss which of you are here unnecessarily, and who needs to pay super close attention and read everything and not just skim. ;) 

READ ON IF:

  • You are a Mediavine Publisher with an HTTPS site, with a CSP currently installed either via MCP or hard-coded into the <head></head>.

YOU CAN STOP HERE IF:

  • Your site isn't SSL/HTTPS. (no lock symbol or https in your URL)

  • You are SSL/HTTPS but don't yet have a CSP. Please pop over to this helpful doc instead.

  • You aren't a Mediavine Publisher. Please contact your ad network for instructions on installing a CSP, and their specific recommendations. Or APPLY with us, in which case this will be of help to you very soon.

Why are we requiring this?

Recently we learned that in some cases Chrome wasn't respecting the "upgrade-insecure-requests" Content Security Policy that is required to be set in the head tag of websites that are HTTPS, and also running advertising. 

For this reason, we are now requiring all sites that are SSL + running Mediavine ads to have a "block-all-mixed-content" CSP. The Mediavine Control Panel is a popular way to install this CSP. We've updated the plugin to this new version. 

This will ensure that your ads will never serve insecure assets, and will never break  your lock symbol in your browser, or cause issues with your HTTPS/SSL.

If you have the CSP Installed via the Mediavine Control Panel plugin, please take the following steps PRIOR TO UPDATING YOUR CSP SETTINGS.

How to upgrade your CSP using the MCP PLUGIN

  1. Go to this page and run a test of your url. If you get all greens there, move onto step 2. If you get less than all greens, STOP RIGHT HERE and contact your managed host or developer (preferably whomever launched your SSL), to help troubleshoot your HTTPS/SSL. When your site passes the test on that page, move onto step 2.

  2. If you haven't already, update your Mediavine Control Panel plugin to version 1.7.0 or higher.

  3. Go to your Mediavine Control Panel Plugin Settings.

  4. Click on the "update your security settings" link, and you'll be taken to the MCP Plugin Settings Page. 

  5. Scroll down to the "Security Policy" section. 

  6. Check "Block Insecure Assets"

  7. Click Save. 

  8. Clear your site's cache and your browser's cache, and go to your site in a Chrome incognito window. Browse around to a few different posts and pages. Make sure all of your images and widgets are behaving as you would expect. 

If you have the CSP installed manually, please follow these instructions to update:

  1. Login to your WP backend. Locate where the existing CSP is placed. For most sites, this will be in the Theme Settings Header Section, in the Head & Footer plugin settings, or in Genesis Simple Hooks. 

  2. Remove the existing code, which should look like this: <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests"> and add the following in its place <!-- CSP PLACEHOLDER --> 

  3. Save your changes. 

  4. Go to this page and run a test of your url. If you get all greens there, move onto step 5. If you get less than all greens, STOP RIGHT HERE and contact your managed host or developer (preferably whomever launched your SSL), to help troubleshoot your HTTPS/SSL. When your site passes the test on that page, move onto step 5.

  5. Log back into your WP backend and find where you added the <!-- CSP PLACEHODER --> tag. Remove that and instead add the Block-All-Mixed-Content CSP code found below

  6. Save your changes

  7. Clear your site's cache and your browser's cache, and go to your site in a Chrome incognito window. Browse around to a few different posts and pages. Make sure all of your images and widgets are behaving as you would expect. 

BLOCK-ALL-MIXED-CONTENT CSP CODE

<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">

IF YOU ARE NOT ABLE TO UPDATE YOUR CSP RIGHT NOW DUE TO SECURITY ERRORS:

This will need to be put back in place and the security issues fixed ASAP. Having a site with broken security will negatively impact user experience.

Let us know if you have any questions, and if there's anything we can do to help! We're always available at publishers@mediavine.com.

Did this answer your question?