Google Chrome has already started blocking some types of “mixed content” on the web. Now, Google announced it is getting even more serious to the issue. Chrome will block all mixed content by default and breaking some existing web pages starting in early 2020. Here’s why Google Chrome is blocking Mixed Content on the web.
There are two types of content here one is Content delivered over a secure, encrypted HTTPS connection. And the other one is content delivered over an unencrypted HTTP connection.
The content can not be snooped on or tampered with in transit while you use HTTPS. Which is why critical websites offer encryption when dealing with financial information or private data.
The web is moving fast to secure HTTPS websites. Google Chrome now warns you these websites are “not secure” when you connect to an older HTTP website without encryption. Google now even hides the “https://” indicator by default, as sites should just be secure by default. The new HTTP/3 standard will also have built-in encryption.
Some web pages can be neither entirely HTTPS nor completely HTTP. Some web pages are delivered over a secure HTTPS connection. However, they pull in images, scripts, or other resources via an unencrypted HTTP connection.
Such web pages have “mixed content” because they are not fully secure. The web page itself could not be tampered with however, it may pull in a script, image, or iframe that could have been tampered with.
That script could be modified for instance, if you are on a public Wi-Fi network that is not trustworthy to do many nasty things on the web page. Anything from monitoring your keystrokes to inserting a tracking cookie can be done.
While scripts and iframes are active content and are the most dangerous, even images, videos, and audio-mixed content could be risky. For example, imagine you are viewing a secure stock trading website that pulls in an image of a stock’s history via HTTP.
That image is not secure, it could have been tampered with in transit to show incorrect details. Also, because it was delivered over an unencrypted connection, anyone snooping on the data in transit likely knows what stock you are looking at.
It is really a bad idea to mix content like this. In case a web page is using HTTPS, all its resources should be pulled in via HTTPS as well. It is just a historical accident, that the web started with HTTP and websites gradually upgraded to HTTPS.
As they did, they did not always update to use HTTPS resources everywhere. Or else, they may have depended on a third-party resource that did not support HTTPS at the time.
Now, with Google and other browser vendors making mixed content more difficult and discouraging. Now the websites will have to clean things up so their web pages will continue working by default.
Chrome currently blocks both mixed scripts and iframes. In Chrome 80 version, which will be released to early release channels in January 2020, Chrome will block mixed audio and video resources technically. It will try to load them over a secure HTTPS connection instead and block them if they will not.
Mixed images will get a load, but Chrome will say the web page is “Not Secure.” In Chrome 81 version, Chrome will stop loading mixed images too. Users can allow the mixed content to load, but it will not get load by default.
It is all part of making the web more secure. Google’s own blog post says that it expects the “Not Secure” message “will motivate websites to migrate their images to HTTPS.”
Google Chrome has already started blocking some types of mixed content with a shield icon in the address bar and an “Insecure content blocked” message. You can see how chrome works on this mixed content example page created by Google.
For example, you have to click a link named “Load unsafe scripts” to unblock a mixed content script. If you agree to run the mixed content then, the web page changes from Secure to Not Secure.
Google will be simplifying this issue in Chrome 79, which will be released sometime in December 2019. You will just have to click the lock icon to the left of the page’s address. Then, click on “Site Settings,” and then unblock mixed content for that site.
The option becomes more buried, but that is the point. Most people should never need to enable mixed content for a website. Website developers need to fix their websites to deliver resources more securely.
This option will ensure anyone using an older business website can continue accessing it, even while mixed content is disabled for everyone.
If you need a website that requires this, then do not worry. Google has not announced a date when it is removing the option to load mixed content in the Chrome Browser. Google’s web browser will be blocking all mixed content by default. But it will continue offering an option to enable mixed content for the foreseeable future.
The Chrome Browser is not alone. Mozilla Firefox blocks mixed content like scripts and iframes too and requires you click a “Disable protection for now” setting to reenable it. We can expect Mozilla to follow in Google’s footsteps. Apple’s Safari browser is aggressive about blocking mixed content too.
On the other hand, Microsoft’s new Edge browser will be based on the Chromium code that forms the basis for Google Chrome and will behave like Chrome.