From 905c374e3a46ca7d2ddd557b96dc5c55c3e47a11 Mon Sep 17 00:00:00 2001
From: TheFlow <theflow@sydigital.com>
Date: Fri, 24 Oct 2025 12:44:51 +1300
Subject: [PATCH] fix(security): remove deprecated CSP block-all-mixed-content
 directive
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Removed 'block-all-mixed-content' from Content-Security-Policy as it's
deprecated and made obsolete by 'upgrade-insecure-requests' which
already handles mixed content by upgrading it to HTTPS.

This eliminates the Firefox console warning:
"Ignoring 'block-all-mixed-content' because mixed content display
upgrading makes block-all-mixed-content obsolete."

Modern browsers automatically upgrade all mixed content (HTTP resources
on HTTPS pages) when upgrade-insecure-requests is present, providing
the same security without the deprecated directive.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 src/middleware/security-headers.middleware.js | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/middleware/security-headers.middleware.js b/src/middleware/security-headers.middleware.js
index 005ed730..dea4b8aa 100644
--- a/src/middleware/security-headers.middleware.js
+++ b/src/middleware/security-headers.middleware.js
@@ -26,8 +26,7 @@ function securityHeadersMiddleware(req, res, next) {
       "frame-ancestors 'none'",
       "base-uri 'self'",
       "form-action 'self'",
-      "upgrade-insecure-requests",
-      "block-all-mixed-content"
+      "upgrade-insecure-requests"
     ].join('; ')
   );