From 391d7ef68000ad0a4b105bb6cebb90b04f69a7c5 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Fri, 18 Jun 2021 05:08:04 -0400
Subject: [PATCH] explicitly block mixed content

---
 nginx/nginx.conf | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index e013f69..614cf04 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -89,7 +89,7 @@ http {
         root /usr/share/webapps/element;
 
         include snippets/security-headers.conf;
-        add_header Content-Security-Policy "frame-ancestors 'self'";
+        add_header Content-Security-Policy "frame-ancestors 'self'; block-all-mixed-content";
         add_header X-Frame-Options "SAMEORIGIN";
         add_header X-Robots-Tag "none";
     }
@@ -102,7 +102,7 @@ http {
         root /var/empty;
 
         include snippets/security-headers.conf;
-        add_header Content-Security-Policy "frame-ancestors 'none'";
+        add_header Content-Security-Policy "frame-ancestors 'none'; block-all-mixed-content";
         add_header X-Frame-Options "DENY";
 
         location = / {
@@ -113,7 +113,7 @@ http {
             proxy_hide_header Content-Security-Policy;
             proxy_hide_header X-Frame-Options;
             include snippets/security-headers.conf;
-            add_header Content-Security-Policy "frame-ancestors 'none'";
+            add_header Content-Security-Policy "frame-ancestors 'none'; block-all-mixed-content";
             add_header X-Frame-Options "DENY";
             add_header X-Robots-Tag "none";