Google was a big HTTPS proponent over the past decade and led a successful adoption push. Chrome is now making further security enhancements by blocking mixed content — insecure http:// subresources on https:// pages — by default.
According to Google today, “Chrome users now spend over 90% of their browsing time on HTTPS on all major platforms.” However, there is still the issue of securing all HTTPS configurations, with some secure pages still seeing subresources load over HTTP.
Mixed content that’s still allowed includes images, audio, and video, though browsers today block scripts and iframes by default.
For example, an attacker could tamper with a mixed image of a stock chart to mislead investors, or inject a tracking cookie into a mixed resource load. Loading mixed content also leads to a confusing browser security UX, where the page is presented as neither secure nor insecure but somewhere in between.
Starting with Chrome 79, currently in the dev channel, the browser will begin blocking all mixed content by default. Google is taking a gradual approach to minimize any issues with the full timeline below. The process starts in December and set to finish with Chrome 81 next year.
- In Chrome 79, releasing to stable channel in December 2019, we’ll introduce a new setting to unblock mixed content on specific sites. This setting will apply to mixed scripts, iframes, and other types of content that Chrome currently blocks by default. Users can toggle this setting by clicking the lock icon on any https:// page and clicking Site Settings. This will replace the shield icon that shows up at the right side of the omnibox for unblocking mixed content in previous versions of desktop Chrome.
- In Chrome 80, mixed audio and video resources will be autoupgraded to https://, and Chrome will block them by default if they fail to load over https://. Chrome 80 will be released to early release channels in January 2020. Users can unblock affected audio and video resources with the setting described above.
- Also in Chrome 80, mixed images will still be allowed to load, but they will cause Chrome to show a “Not Secure” chip in the omnibox. We anticipate that this is a clearer security UI for users and that it will motivate websites to migrate their images to HTTPS. Developers can use the upgrade-insecure-requests or block-all-mixed-content Content Security Policy directives to avoid this warning.
- n Chrome 81, mixed images will be autoupgraded to https://, and Chrome will block them by default if they fail to load over https://. Chrome 81 will be released to early release channels in February 2020.
FTC: We use income earning auto affiliate links. More.