Google has announced that it will begin blocking mixed content on https:// pages by default.
The reveal was detailed on the Chromium Blog, which stated that the change was being implemented to improve security and privacy.
According to the blog, there has been significant progress in transitioning webpages from http:// to the more secure https:// over the past few years, with over 90 per cent of Chrome users browsing on the latter.
However, these pages don’t protect users from mixed content, which is where some subsources on a https:// pages are loaded over http://. This content generally includes things such as images, iframes, audio, video and scripts.
The blog explains why this can be an issue:
“For example, an attacker could tamper with a mixed image of a stock chart to mislead investors, or inject a tracking cookie into a mixed resource load. Loading mixed content also leads to a confusing browser security UX, where the page is presented as neither secure nor insecure but somewhere in between.”
The roll out will be done in stages, beginning with Chrome 79 in December. A new setting will be introduced that allows users to unlock mixed content on specific sites.
You’ll be able to access this via the lock icon on any https page and hitting ‘site settings’.
Chrome 80 will appear on early release channels in January 2020 auto upgrade mixed audio and video sources to ‘https://,’ and they will be blocked if they don’t load over ‘https://.’.
This can be unblocked via the Chrome 79 setting.
Mixed images sources will still load but trigger a ‘not secure’ warning.
Chrome 81 will drop on early release channels in February 2020 and will auto upgrade mixed images to ‘https://,’. Like with the mixed video and audio sources, Chrome will block them if they don’t load over ‘https://.’.
Google is hoping that these moves encourage developers to migrate mixed content to https:// in order to avoid security issues. It has provided some resources on how to do this over on the blog. [Chromium Blog]