nginx add_header Content-Security-Policy “upgrade-insecure-requests；connect-src *“；

背景是这样 后端写了个静态网页，页面里面有对资源http的调用，导致js在请求时，报了个错

Mixed Content: The page at 'https://huangkaikang.com/' was loaded over HTTPS, but requested an insecure frame 'http://huangkaikang.com/resume/'. This request has been blocked; the content must be served over HTTPS.

类似这样，看字面意思，结合google想到这个应该可以在nginx那边加个重定向或者header来解决

遂查到了

add_header Content-Security-Policy "upgrade-insecure-requests;connect-src *";

这个加在nginx的 server块里就好了，页面中不安全的http请求会被转为https

问题的根源应该就是浏览器js的安全机制，不允许在嵌套在https的页面中进行http请求吧？大致理解是这样