Google Chrome to start blocking all types of mixed content in HTTPS web pages from January 2020
A web site might be HTTPS, but its sub-resources, such as ads, are often downloaded via insecure HTTP
Google has announced that its Chrome web browser will begin blocking all types of non-HTTPS content starting from January 2020. The move will affect web-page sub-resources, such as adverts, that are often still downloaded via insecure HTTP.
The company is now advising publishers, in particular, to check their website to ensure that it uploads no sub-resources, such as audios, videos, images, scripts, styles and iframes, using HTTP.
According to Google, mixed content occurs when a web page is initially uploaded through HTTPS connection, but its sub-resources are loaded over an insecure HTTP connection. Such content, according to Google, presents a security risk to websites as well as their visitors.
Google has led the push for websites to shift to HTTPS, tagging any web page that isn't as 'insecure', while downranking non-HTTPS website in its search engine. Other browser makers have followed Google's lead.
The company claims that people using Chrome now spend over 90 per cent of their "browsing time on HTTPS on all major platforms" - that, presumably, according to the telemetry data it exfiltrates from Chrome users.
Presently, most modern browsers display a warning about mixed content to alert users about insecure resources on the web page. They also block some mixed content, such as iframes and scripts, by default; although audio, video and images are still allowed to load.
Google is concerned about this issue and wants to tighten the noose on mixed content.
According to Google, Chrome 79, which will be released to the 'stable channel' in December 2019, will come with an option for users to unblock insecure resources, like inframes and scripts, which are currently blocked by default. The unblocking of such mixed content will be available on per-site basis.
In January 2020, Google will release Chrome 80 to the 'development channel', which will mark even HTTPS pages with mixed content as Not Secure. It will also auto-upgrade mixed audio and video resources to HTTPS, and resources that fail to load over HTTPS will be blocked by the browser. Users will have the option to unblock affected audio and video resources (as in Chrome 79) using the setting described above.
Chrome 81, to be released in February 2020, will block images outright if they fail to load over HTTPS.