Mon. Apr 6th, 2020

Google Chrome 80 will mark “mixed content” site as “Not Secure”

2 min read

As one of the technology giants with the greatest appeal and influence on the Internet, Google has taken action to make the Internet more secure. From combating misbehaving ads to unsafe web content, Google actively guides developers and IT administrators to adopt the best industry management practices on Chrome web browsers.

Google said that Chrome users accounted for more than 90% of the time spent on secure HTTPS pages, and the company said it will continue to strengthen its control over web content by blocking unsafe content starting next year. Mixed content that’s still allowed includes images, audio, and video, though browsers today block scripts and iframes by default.

For example, an attacker could tamper with a mixed image of a stock chart to mislead investors, or inject a tracking cookie into a mixed resource load. Loading mixed content also leads to a confusing browser security UX, where the page is presented as neither secure nor insecure but somewhere in between.

Google is taking a gradual approach to minimize any issues with the full timeline below

  • In Chrome 79, releasing to stable channel in December 2019, we’ll introduce a new setting to unblock mixed content on specific sites. This setting will apply to mixed scripts, iframes, and other types of content that Chrome currently blocks by default. Users can toggle this setting by clicking the lock icon on any https:// page and clicking Site Settings. This will replace the shield icon that shows up at the right side of the omnibox for unblocking mixed content in previous versions of desktop Chrome.
  • In Chrome 80, mixed audio and video resources will be autoupgraded to https://, and Chrome will block them by default if they fail to load over https://. Chrome 80 will be released to early release channels in January 2020. Users can unblock affected audio and video resources with the setting described above.
  • Also in Chrome 80, mixed images will still be allowed to load, but they will cause Chrome to show a “Not Secure” chip in the omnibox. We anticipate that this is a clearer security UI for users and that it will motivate websites to migrate their images to HTTPS. Developers can use the upgrade-insecure-requests or block-all-mixed-content Content Security Policy directives to avoid this warning.
  • n Chrome 81, mixed images will be autoupgraded to https://, and Chrome will block them by default if they fail to load over https://. Chrome 81 will be released to early release channels in February 2020.