Google has confirmed that the Chrome web browser will start to block HTTPS pages from loading vulnerable resources to improve user privacy and web browsing safety.
Mixed content is content loaded both from secure HTTPS connections and from unsafe HTTP connections which contributes to safety and user experience harm on HTTPS websites. Google offers a number of examples of how mixed content on its Web Fundamentals developer platform weakens HTTPS.
Google Chrome’s “we’ll start blocking mixed contents (insecure http:/ subresources on https:/pages) by definition, which will boost user privacy and security on the internet and offer a better UX app safety to the users.”
“The internet has made significant progress in the last several years in the transition to HTTPS: Chrome users spend more than 90 per cent of their HTTPS browsing time on all main platforms,” they say. “We are now switching our focus to ensuring safe and up-to-date web-side HTTPS settings.”
Mixed Content affects the Security UX of the Browser
Since websites may currently load web resources from a mixed pool of safe and insecure pages, potential attackers can intercept and exploit some of the unsecured assets to inject malicious code or change content as they wish.
While the goal is to block such mixed content, which is considered by default to be a security risk, such as scripts and iframes, others, such as multimedia content, like video, images and audio, are easily enabled, thereby reducing the user’s protection in the longer term.
“Loading mixed content often results in a confusing UX browser protection, where the site is not viewed as protected or unsecure, but in between,” adds the Chrome security team.
Chrome blocking an insecure script
Mixed Blocking Web Roll-Out
Changes resulting in the automatic blocking of all Google Chrome mixed content will be slowly enforced, distributed across several updates.
For example, in the Chrome 79 stable release which arrives in December, users will be first able to unlock blocked content per site “by clicking on the lock icon on any https:/ page and clicking on Site Configurations.” With Chrome 80 released in January 2020, “mixed audio and video assets will be auto-assigned to https:/ and Chrome will lock them by default.
Chrome 80 will also tag websites as’ Not Secure,’ when it loads image content using unknown connections to secure its storage image servers, using omnibox chips.
Unblock mixed content loads via Site Settings
“Developers may use the Content protection guidelines for upgrade-insecure requests or block-all-mixed content to avoid this alert,” added Chrome Security Team Google.
In February 2020, once Chrome 81 will be released, Google will automatically upgrade all mixed images to HTTPS, blocking all those that are not loaded in https:/ via the web browser.
Further Privacy and Improvements based on Security
For the related news, the browser no longer shows the company name on the Omnibar for the pages using extended TLS / SSL (EV) validations, with company names transferred to the page info bubble which appears when you click on the lock icon.
Google also introduced in September a new experimental flag called “Enable enhanced cookie controls user interface” in a Chrome Canary build flag, which adds a new “Block cookies” flag to the “Cookies and page information” settings when enabled.
It came right after Mozilla launched Firefox 69, which has the automatic blocking of the third-party tracking cookie as part of the enhanced tracking security functionality.
Eventually, the Google Chrome Security Team suggests that web developers switch all mixed content served on their websites with the following tips and guidelines:
- Use Content Security Policy and Lighthouse’s mixed content audit to discover and fix mixed content on your site.
- See this guide for general advice on migrating servers to HTTPS.
- Check with your CDN, web host, or content management system to see if they have special tools for debugging mixed content. For example, Cloudflare offers a tool to rewrite mixed content to https://, and WordPress plugins are available as well.