Google Chrome 86 will warn users about filling out insecure forms on HTTPS pages
When Google rolls out Chrome 86 in October, the web browser will warn people when they try to complete forms that are submitted insecurely on otherwise secure (HTTPS) pages. According to Google, the new warning is meant to provide users with a more secure browsing experience, as submitting information on insecure forms could potentially reveal private information to eavesdroppers.
Google says that Chrome 86 will introduce the following changes:
- Autofill will be disabled on mixed forms, but Chrome’s password manager will continue to work. That’s because the password manager is designed to help users input unique passwords and is thus safe to use even on forms that are submitted insecurely. It’s better to allow users to use the password manager than to have them reuse old passwords.
- When a user starts filling out a mixed form, they will see text warning them that the form is not secure.
- If a user tries to submit a mixed form, they will see a full-page warning that alerts them of the potential risk with a confirmation if they’d like to submit the form anyway.
In the past, Chrome would remove the lock icon from the address bar when a mixed form was used. Google said this experience was confusing to the end-user as it did not properly inform users of the risks associated with submitting data in insecure forms, which is why it’s making the change.
Today’s announcement is the latest in Google’s efforts to end the use of HTTP content on the web. Back in July of 2018, Google Chrome began labeling all HTTP sites as “not secure.” The browser also blocks mixed downloads and other insecure content from loading on HTTPS pages. Blocking mixed forms is a logical progression, so web developers should have seen this change coming. For those who want to fully migrate forms on their site to HTTPS, Google offers tips to help with the transition.