Google Chrome will block insecure content loading on HTTPS pages
In a bid to secure users, Google started labeling HTTP websites as “Not Secure” with Chrome 68 earlier this year. Thanks to this change, it became easier for users to spot when they were browsing a potentially unsafe website. Moreover, it also prompted developers to update their websites with SSL certificates. Now, in a bid to further bolster security, Google is working to prevent insecure HTTP subresources from loading on HTTPS pages.
In a recent post on the Chromium Blog, the company has outlined steps to completely block mixed content. For the unaware, HTTPS pages commonly feature mixed content, where some subresources are insecurely loaded over HTTP. But while browsers block many types of mixed content by default, images, audio and video are still allowed to load. This could potentially allow attackers to tamper with mixed content and compromise user security.
Therefore, starting from Chrome 79 onwards, the browser will gradually move to block all mixed content by default. In order to prevent websites from breaking due to the change, Google will auto-upgrade mixed resources to HTTPS. However, users will still have the option to opt-out of mixed content blocking on particular websites. The company has also provided resources for developers to help them find and fix mixed content on their websites.
In Chrome 79, which will be released to the stable channel in December this year, Google will introduce a new setting to unblock mixed content. The new setting will apply to mixed scripts, iframes, and other mixed content that Chrome currently blocks by default. Mixed audio and video resources will then be auto-upgraded to HTTPS in Chrome 80. In case the resources fail to load over HTTPS, they will be blocked. Mixed images, however, will still be allowed to load, but they will bring up the “Not Secure” label in the omnibox.
In the following Chrome 81 update, mixed images will also be auto-upgraded to HTTPS. And once again, images that fail to load over HTTPS will be blocked. Developers who wish to migrate their mixed content to HTTPS can check the available resources in the official post linked below.
Source: Chromium Blog