Web sites and applications are vulnerable to attack by malicious third parties. One class of security vulnerabilities relates to the fact that a web page may include content or resources from a number of different sources. If any of the resources loaded by a web page uses an unsecure channel (e.g., an unencrypted network connection), a “man-in-the-middle” attacker (e.g., someone who has access to the unsecure channel between an end user's browser and the server delivering the web page) can eavesdrop or inject his own malicious content that can rewrite or otherwise alter the content of the web page; including delivery of malware to the end user. For example, if all of the resources associated with a web page are loaded via secure channels but the fonts are loaded using a plain text connection, an attacker can overwrite the fonts with a payload that can take advantage of vulnerabilities in browser components responsible for font handling. These kinds of vulnerabilities are commonly referred to as “mixed content” vulnerabilities. Some technologies, e.g., browser security directives, have been developed to mitigate some attack vectors, but many of these solutions are difficult to understand, implement, or maintain.