Having already introduced warnings in Chrome that let you know when you’re visiting a non-secure website – that is, HTTP rather than HTTPS – Google is taking things further and is planning to start blocking ‘mixed content’.
In future versions of Chrome, Google will block HTTP content that is loaded by encrypted HTTPS sites. The company is taking steps to address the problem of secure sites that pull in content – such as scripts, media files and iframes – that are not secure. It calls this mixed content.
The reason for wanting to lock this down further is that HTTP content can be interfered with. This means that an incorrect image could be displayed, or a malicious script could be run in the background.
As it has done with previous changes, the new security feature is going to rolled out gradually. Starting with Chrome 79, which is due to moved from development and beta testing channels for a mainstream release in December, Google will start to completely block mixed content.
At the same time, the company will also introduce a new toggle that will enable users to unblock mixed content on specific sites. Google also says that in order to minimise disruption, it will “autoupgrade mixed resources to https://, so sites will continue to work if their subresources are already available over https://”.
It’s for your own good…
With Chrome 80, Google will automatically upgrade mixed audio and video resources to https://, and Chrome will block them by default if they fail to load over https://. The browser will load mixed images, but Google says that this will cause Chrome to show a ‘not secure’ chip in the omnibox. This build of the browser is due to hit the early release channels in January 2020.
With Chrome 81 the following month, Google will continue to upgrade mixed content to HTTPS, and will start to block and images that fail to load in this way. The option to override this blocking will remain, so Chrome users should not find that any of their favourite websites suddenly become inaccessible. Google’s hope is that the move will encourage more website developers to stop the practice of using mixed content.