- Google Chrome’s stance on websites that haven’t fully migrated to HTTPS is said to get tougher.
- It will be blocking mixed content by default gradually starting with Chrome 79.
Google’s developer page defines mixed content as, “Mixed content occurs when initial HTML is loaded over a secure HTTPS connection, but other resources (such as images, videos, stylesheets, scripts) are loaded over an insecure HTTP connection.”
- Browsers have been overlooking the problem of mixed content in the recent past, as long as the main domain was loaded in HTTPS.
- Google already displays a ‘Not Secure’ indicator on form fields loaded over HTTP.
- Also, browser downloads via HTTP are blocked, even if the website is loaded via HTTPS.
Why it matters
Using resources that load via HTTP weakens the security of HTTPS. This is because HTTP requests are vulnerable to man-in-the-middle attacks that allow hackers to eavesdrop on network connections.
“For example, an attacker could tamper with a mixed image of a stock chart to mislead investors, or inject a tracking cookie into a mixed resource load. Loading mixed content also leads to a confusing browser security UX, where the page is presented as neither secure nor insecure but somewhere in between,” reads a blog post by Google.
With most of Google Chrome’s traffic on HTTPS, Google is taking the next step to eliminate content loaded via HTTP.
Starting with Chrome 79, the company plans to gradually block all mixed content by default.
- Chrome 79 will feature a new setting to unblock mixed content on certain sites. Mixed scripts, iframes, and other content that Chrome blocks by default can be unblocked using this setting.
- Chrome 80 will automatically upgrade mixed audio and video resources to https://. If they fail to load on https://, they will be blocked. Mixed images will be allowed to load with a ‘Not Secure’ chip.
- Chrome 81 will automatically upgrade mixed images to https://, and block images that don’t load over it.
It is recommended that developers make sure the elements in their pages don’t load via HTTP anymore.