Google Chrome will block mixed content in the near future
Google Chrome will soon block all mixed content by default. Google revealed a plan in October that details how the company's Chrome browser will handle mixed content in the next release versions.
Mixed content refers to sites that load via HTTPS but use HTTP resources. A simple example is a site that loads an image via HTTP while the page itself is accessed via HTTPS. Chrome blocks scripts and iframes by default if they are loaded via HTTP on HTTPS sites but allows static content such as images to be displayed.
The behavior threatens the privacy and security of users according to Google as an "attacker could tamper with a mixed image of a stock chart to mislead investors, or inject a tracking cookie into a mixed resource load".
Starting with Chrome 79 Stable, expected to be released in December 2019, Chrome will gradually upgrade or block mixed content that it encounters.
The company announced the following timeline:
- Chrome 79 -- New option in Site Settings to unblock mixed content in Google Chrome for specific sites. Just click on the icon in front of the address and select Site Settings from the interface that opens; Chrome loads the Site Settings for the site in question. Locate Insecure Content to change it to Ask or Allow for that particular site.
- Chrome 80 -- Audio and Video resources will be upgraded to HTTPS automatically if possible. If that is not possible, they will be blocked.
- Chrome 80 -- Mixed images will still load but Chrome displays a "not secure" label in the address bar.
- Chrome 81 -- Mixed images will be upgraded to HTTPS if possible or blocked if that is not possible.
Chrome users may use the insecure content site setting to allow blocked resources on a particular site.
Mozilla, maker of Firefox, implemented a new preference in Firefox 60 to allow mixed content in the browser. It is turned off by default, however.
The impact
The change has an impact on image, video, and audio resources that are loaded via HTTP currently on HTTPS sites. Chrome attempts to upgrade these resources to HTTPS automatically but that will work only if the site the resources are loaded from supports it (meaning it supports HTTP and HTTPS). If that is not the case, the resources won't be loaded in Chrome 80 (video/audio) and Chrome 81 (images).
Chrome gets a new option in version 79 to allow these resources from being loaded if blocked by the browser; this is done to make sure that content does not break on certain sites that still have not been upgraded to HTTPS fully.
Now You: Do you encounter many HTTP / mixed content sites in your day to day browsing?
Chrome soon to be anti-unsecure browsers, so https is only prioritizing, http and other protocols soon banned.
No thanks, google decided to destroying unencrypted http in the next decade and so personals/companies websites with mixed contents soon deprecated, now i hate this trends.
Now You: Do you encounter many HTTP / mixed content sites in your day to day browsing?
In my values, visiting unknown and unspecified sites is limited.
For this reason, this topic cannot be mentioned, but the general consideration seems to be “Individuals sites and sites with no revenue sources etc, remain unchanged due to the cost of digital signatures.”
It is impression of an unclear feeling whether “all mixed content is dangerousâ€.
But, there is no doubt that “unpaid personal sites etc” will be sacrificed.
“…threatens the privacy and security of users according to Google…”
Google claims this with a straight face?
I turned on mixed content in FF, too many sites broke.
It’s not just google. Everyone knows that HTTP/mixed content is unsecure and everything should be using HTTPS at this point, no excuses!
Meh.. if someone wants to man in the middle my daily news reading they can feel free. Too many old sites with quality content will never upgrade vs the aggregtors that just buy the latest server and run whatever the tech tells them to. This is a poor upgrade and I’ll continue using whatever browsers dont implement it.
I seldom encounter HTTP / mixed content sites apart from radio portals.
In my case (Firefox) I totally block mixed content :
// disable insecure active content on https pages – mixed content
pref(“security.mixed_content.block_active_content”, true); // Default=true
// disable insecure passive content (such as images) on https pages – mixed context
pref(“security.mixed_content.block_display_content”, true); // Default=false : my initiative
This means of course that 3rd-party non-secure sites called by an https site are blocked. I come back to my radio portals sites to illustrate the possible issue and to show how some radio portal sites are smart and others less:
1- ShoutCAST : shoutcast.com is secured, but its radio portal directory.shoutcast.com accepts a non-secured connection : good, because if you address directory.shoutcast.com with https you won’t get the music if you’ve disabled insecure passive content as I did (above).
2- Radio Garden : radio.garden (a site I love and don’t visit anymore) refuses to be addressed insecurely (only https) which is OK only if the user hasn’t disabled insecure passive content as I did (above).
This means that if mixed content is totally blocked (active and passive content) sites will have to either call all 3rd-party sites via https (which is not always feasible) either offer to be themselves addressed via unsecured http … or the user has to leave enabled insecure passive content (as now on Firefox but not on upcoming Google Chrome).
It happens that https sites call 3rd-party insecure sites although https for those is available, which is why here on Firefox I’ve enabled a setting which handles just that :
// attempt to load mixed content that is optionally blockable from HTTPS domains instead of the referenced HTTP domains
pref(“security.mixed_content.upgrade_display_content”, true); // Default=false
This last setting, be it true or false, can be illustrated on this site :
Mixed content test (HTTP within HTTPS) at https://www.bennish.net/mixed-content.html
As I see it now, Chrome’s decision to block mixed content will be problematic for portal sites which are called via https but distribute (link to) 3rd-party naturally given it’s their very purpose but have no control on those 3rd-part sites security. I have in mind radio portals because i listen to quite a lot of Web radios and most of them via portals, but other portal topics exist.
EDITing my above comment :
// attempt to load mixed content that is optionally blockable from HTTPS domains instead of the referenced HTTP domains
pref(“security.mixed_content.upgrade_display_contentâ€, true); // Default=false
It’s not that this setting “attempts” (and reverses to http if https unavailable as i thought), it’s that it sets all http links to https.
If “security.mixed_content.block_display_content†is true then no problem since the https connection would have failed anyway,
but if “security.mixed_content.block_display_content†is false then “security.mixed_content.upgrade_display_content†must be false as well.
Sorry for that, I just realized my mistake. It wouldn’t have been for this article triggering my curiosity I’d still be mistaking :=)
@Tom Hawack: I did not find â€security.mixed_content.upgrade_display_content†option description from ghacks-user.js but I changed it â€true†as other options. Thank you.
Because I mentioned this ‘security.mixed_content.upgrade_display_content’ I emphasize on the fact that :
‘security.mixed_content.block_display_content’
and
‘security.mixed_content.upgrade_display_content’
MUST have the same Boolean value : either both true, either both false.
@Tom Hawack: Waterfox has not â€security.mixed_content.upgrade_display_contentâ€, nor Pale Moon, preference.
Do you know is it hidden preference or it has no impact? If it does not matter then maybe â€security.mixed_content.block_display_content†can change from false (default) to true.
Ok. I changed boolean values exactly as you said and I checked also ghacks-user.js.
It is difficult to follow every change that Mozilla make. I have complained much about some of about:config values become obsolote or are redundant.
Perhaps Thorin-Oakenpants will add â€security.mixed_content.upgrade_display_contentâ€.
Search word â€mixedâ€
https://github.com/ghacksuserjs/ghacks-user.js/blob/master/user.js
Here is instructions for resetting unnecessary preferences. Thank you Thorin-Oakenpants.
https://github.com/ghacksuserjs/ghacks-user.js/tree/master/scratchpad-scripts
https everywhere getting redundant soon then?
Not in the short run. Google attempts to upgrade image, video and audio resources to HTTPS only in Chrome. HTTPS Everywhere (I think) has no such restriction and may upgrade other content to HTTPS as well.
Finally!
Firefox did this ages ago, but Firefox’s marketshare is not big enough to change the way websites are designed.
Now most sites use https, but that was not alway the case.
Right now, there are some websites that insist on using mixed content.
Hopefully, with Chrome blocking mixed content by default in Chrome 81, this nonsense will stop & all websites & their resources will be secure (https).
Unfortunately, Manifest v. 3 is still coming. Thank God for Firefox.