Google Chrome will block mixed content in the near future

Martin Brinkmann
Nov 6, 2019
Google Chrome
|
15

Google Chrome will soon block all mixed content by default. Google revealed a plan in October that details how the company's Chrome browser will handle mixed content in the next release versions.

Mixed content refers to sites that load via HTTPS but use HTTP resources. A simple example is a site that loads an image via HTTP while the page itself is accessed via HTTPS. Chrome blocks scripts and iframes by default if they are loaded via HTTP on HTTPS sites but allows static content such as images to be displayed.

The behavior threatens the privacy and security of users according to Google as an "attacker could tamper with a mixed image of a stock chart to mislead investors, or inject a tracking cookie into a mixed resource load".

Starting with Chrome 79 Stable, expected to be released in December 2019, Chrome will gradually upgrade or block mixed content that it encounters.

insecure content block

The company announced the following timeline:

  • Chrome 79 -- New option in Site Settings to unblock mixed content in Google Chrome for specific sites. Just click on the icon in front of the address and select Site Settings from the interface that opens; Chrome loads the Site Settings for the site in question. Locate Insecure Content to change it to Ask or Allow for that particular site.
  • Chrome 80 -- Audio and Video resources will be upgraded to HTTPS automatically if possible. If that is not possible, they will be blocked.
  • Chrome 80 -- Mixed images will still load but Chrome displays a "not secure" label in the address bar.
  • Chrome 81 -- Mixed images will be upgraded to HTTPS if possible or blocked if that is not possible.

Chrome users may use the insecure content site setting to allow blocked resources on a particular site.

Mozilla, maker of Firefox, implemented a new preference in Firefox 60 to allow mixed content in the browser. It is turned off by default, however.

The impact

The change has an impact on image, video, and audio resources that are loaded via HTTP currently on HTTPS sites. Chrome attempts to upgrade these resources to HTTPS automatically but that will work only if the site the resources are loaded from supports it (meaning it supports HTTP and HTTPS). If that is not the case, the resources won't be loaded in Chrome 80 (video/audio) and Chrome 81 (images).

Chrome gets a new option in version 79 to allow these resources from being loaded if blocked by the browser; this is done to make sure that content does not break on certain sites that still have not been upgraded to HTTPS fully.

Now You: Do you encounter many HTTP / mixed content sites in your day to day browsing?

Summary
Google Chrome will block mixed content in the near future
Article Name
Google Chrome will block mixed content in the near future
Description
Google Chrome will soon try to upgrade certain mixed content resources (image, video, audio) or block them if not possible by default.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Muhammad Firza said on December 1, 2019 at 9:08 am
    Reply

    Chrome soon to be anti-unsecure browsers, so https is only prioritizing, http and other protocols soon banned.

    No thanks, google decided to destroying unencrypted http in the next decade and so personals/companies websites with mixed contents soon deprecated, now i hate this trends.

  2. owl said on November 15, 2019 at 9:21 am
    Reply

    Now You: Do you encounter many HTTP / mixed content sites in your day to day browsing?

    In my values, visiting unknown and unspecified sites is limited.
    For this reason, this topic cannot be mentioned, but the general consideration seems to be “Individuals sites and sites with no revenue sources etc, remain unchanged due to the cost of digital signatures.”
    It is impression of an unclear feeling whether “all mixed content is dangerous”.
    But, there is no doubt that “unpaid personal sites etc” will be sacrificed.

  3. ULBoom said on November 6, 2019 at 2:41 pm
    Reply

    “…threatens the privacy and security of users according to Google…”

    Google claims this with a straight face?

    I turned on mixed content in FF, too many sites broke.

    1. Anonee said on November 7, 2019 at 3:17 am
      Reply

      It’s not just google. Everyone knows that HTTP/mixed content is unsecure and everything should be using HTTPS at this point, no excuses!

      1. daveb said on November 10, 2019 at 2:55 am
        Reply

        Meh.. if someone wants to man in the middle my daily news reading they can feel free. Too many old sites with quality content will never upgrade vs the aggregtors that just buy the latest server and run whatever the tech tells them to. This is a poor upgrade and I’ll continue using whatever browsers dont implement it.

  4. Tom Hawack said on November 6, 2019 at 11:27 am
    Reply

    I seldom encounter HTTP / mixed content sites apart from radio portals.

    In my case (Firefox) I totally block mixed content :

    // disable insecure active content on https pages – mixed content
    pref(“security.mixed_content.block_active_content”, true); // Default=true

    // disable insecure passive content (such as images) on https pages – mixed context
    pref(“security.mixed_content.block_display_content”, true); // Default=false : my initiative

    This means of course that 3rd-party non-secure sites called by an https site are blocked. I come back to my radio portals sites to illustrate the possible issue and to show how some radio portal sites are smart and others less:

    1- ShoutCAST : shoutcast.com is secured, but its radio portal directory.shoutcast.com accepts a non-secured connection : good, because if you address directory.shoutcast.com with https you won’t get the music if you’ve disabled insecure passive content as I did (above).

    2- Radio Garden : radio.garden (a site I love and don’t visit anymore) refuses to be addressed insecurely (only https) which is OK only if the user hasn’t disabled insecure passive content as I did (above).

    This means that if mixed content is totally blocked (active and passive content) sites will have to either call all 3rd-party sites via https (which is not always feasible) either offer to be themselves addressed via unsecured http … or the user has to leave enabled insecure passive content (as now on Firefox but not on upcoming Google Chrome).

    It happens that https sites call 3rd-party insecure sites although https for those is available, which is why here on Firefox I’ve enabled a setting which handles just that :

    // attempt to load mixed content that is optionally blockable from HTTPS domains instead of the referenced HTTP domains
    pref(“security.mixed_content.upgrade_display_content”, true); // Default=false

    This last setting, be it true or false, can be illustrated on this site :
    Mixed content test (HTTP within HTTPS) at https://www.bennish.net/mixed-content.html

    As I see it now, Chrome’s decision to block mixed content will be problematic for portal sites which are called via https but distribute (link to) 3rd-party naturally given it’s their very purpose but have no control on those 3rd-part sites security. I have in mind radio portals because i listen to quite a lot of Web radios and most of them via portals, but other portal topics exist.

    1. Tom Hawack said on November 6, 2019 at 1:24 pm
      Reply

      EDITing my above comment :

      // attempt to load mixed content that is optionally blockable from HTTPS domains instead of the referenced HTTP domains
      pref(“security.mixed_content.upgrade_display_content”, true); // Default=false

      It’s not that this setting “attempts” (and reverses to http if https unavailable as i thought), it’s that it sets all http links to https.
      If “security.mixed_content.block_display_content” is true then no problem since the https connection would have failed anyway,
      but if “security.mixed_content.block_display_content” is false then “security.mixed_content.upgrade_display_content” must be false as well.

      Sorry for that, I just realized my mistake. It wouldn’t have been for this article triggering my curiosity I’d still be mistaking :=)

      1. Anonymous said on November 8, 2019 at 9:09 pm
        Reply

        @Tom Hawack: I did not find ”security.mixed_content.upgrade_display_content” option description from ghacks-user.js but I changed it ”true” as other options. Thank you.

      2. Tom Hawack said on November 9, 2019 at 10:00 am
        Reply

        Because I mentioned this ‘security.mixed_content.upgrade_display_content’ I emphasize on the fact that :

        ‘security.mixed_content.block_display_content’
        and
        ‘security.mixed_content.upgrade_display_content’

        MUST have the same Boolean value : either both true, either both false.

      3. Anonymous said on November 14, 2019 at 5:19 pm
        Reply

        @Tom Hawack: Waterfox has not ”security.mixed_content.upgrade_display_content”, nor Pale Moon, preference.

        Do you know is it hidden preference or it has no impact? If it does not matter then maybe ”security.mixed_content.block_display_content” can change from false (default) to true.

      4. Anonymous said on November 9, 2019 at 9:31 pm
        Reply

        Ok. I changed boolean values exactly as you said and I checked also ghacks-user.js.

        It is difficult to follow every change that Mozilla make. I have complained much about some of about:config values become obsolote or are redundant.

        Perhaps Thorin-Oakenpants will add ”security.mixed_content.upgrade_display_content”.

        Search word ”mixed”
        https://github.com/ghacksuserjs/ghacks-user.js/blob/master/user.js

      5. Anonymous said on November 11, 2019 at 1:35 pm
        Reply

        Here is instructions for resetting unnecessary preferences. Thank you Thorin-Oakenpants.

        https://github.com/ghacksuserjs/ghacks-user.js/tree/master/scratchpad-scripts

  5. fgh said on November 6, 2019 at 9:33 am
    Reply

    https everywhere getting redundant soon then?

    1. Martin Brinkmann said on November 6, 2019 at 9:40 am
      Reply

      Not in the short run. Google attempts to upgrade image, video and audio resources to HTTPS only in Chrome. HTTPS Everywhere (I think) has no such restriction and may upgrade other content to HTTPS as well.

  6. notanon said on November 6, 2019 at 7:17 am
    Reply

    Finally!

    Firefox did this ages ago, but Firefox’s marketshare is not big enough to change the way websites are designed.

    Now most sites use https, but that was not alway the case.

    Right now, there are some websites that insist on using mixed content.

    Hopefully, with Chrome blocking mixed content by default in Chrome 81, this nonsense will stop & all websites & their resources will be secure (https).

    Unfortunately, Manifest v. 3 is still coming. Thank God for Firefox.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.