Recently, Google has involved itself in numerous privacy and security changes within Google Chrome. The most important of these was the emphasis on HTTPS for websites. Now, they have announced another strict move in this connection. Google intends to block HTTPS mixed content within their Chrome browser.
Google To Block Mixed Content
Reportedly, Google plans to block mixed content for HTTPS in the future. According to a recent blog post by the Chrome Security Team, Google will eventually block mixed content entirely within Chrome. This would ensure full HTTPS implementation only.
What Is Mixed Content
As explained separately, ‘Mixed Content’ refers to the type of content on websites using HTTPS where certain elements on the web page load over HTTP.
Mixed content occurs when initial HTML is loaded over a secure HTTPS connection, but other resources (such as images, videos, stylesheets, scripts) are loaded over an insecure HTTP connection. This is called mixed content because both HTTP and HTTPS content are being loaded to display the same page, and the initial request was secure over HTTPS.
How It Affects Browser Security
Although, Chrome used to notify users about the presence of such content. It couldn’t protect the users from the potential evils of HTTP content on the web page. Thus, the existence of such content downgrades the extent of security as ensured with full HTTPS sites.
Requesting subresources using the insecure HTTP protocol weakens the security of the entire page, as these requests are vulnerable to man-in-the-middle attacks, where an attacker eavesdrops on a network connection and views or modifies the communication between two parties.
Eventually, the presence of such content could even allow an adversary to take complete control of the affected page.
Google explained that such content also affects the browser security UX. The browser could neither present it as HTTPS, nor HTTP.
Implementation To Happen Gradually
While Google has announced their plans to ensure no mixed content, it will do so in a number of different steps. Consequently, HTTPS websites with mixed content have enough time to modify the affected pages accordingly.
As per the disclosed timeline, initially, Google will roll out settings for users to unblock mixed content on sites. This will take place with Chrome 79 releasing in December 2019.
Then, with Chrome 80, Google will block audio/video resources that fail to load over HTTPS by default. Users would still be able to unblock the content via given settings. However, it will allow the mixed images, where the browser will prompt the site as ‘Not Secure’.
Finally, with Chrome 81 coming in February 2020, Google will block mixed images as well.
For convenience, Google has shared detailed guides for migrating to HTTPS and preventing mixed content as well.
Let us know your thoughts in the comments.