Chrome will completely block mixed content
Downloading images from insecure sites will also be blocked
Google continues to promote HTTPS, increasingly restricting sites that don’t have TLS certificates, although there are few such sites. Since July last year, Chrome began flagging sites as insecure . Now the next step - the company announced a series of steps to gradually block mixed content .
Mixed content - these are unprotected elements transmitted over the HTTP protocol through pages with an SSL certificate. For example, images, audio and video from third-party (insecure) domains. This practice will have to be abandoned altogether.
“In recent years, the Internet has made great progress in switching to HTTPS: the share of secure traffic in Chrome has exceeded 90% on all major platforms. Now we want to make sure that HTTPS configurations over the Internet are safe and up-to-date, ”the company’s official blog explains.
Now browsers by default block many types of mixed content, including scripts and frames, but multimedia elements are still loading. According to Google, this threatens the privacy and security of users. Since such traffic is not encrypted, it is susceptible to all types of MiTM attacks. For example, an attacker can fake a stock chart to mislead investors, or put a tracking tracker on a page.
Downloading mixed content is also misleading in terms of the UX interface. It turns out that the page is presented neither as safe nor as unsafe, but somewhere in between.
“Starting with Chrome 79, all mixed content will gradually block by default. To minimize the damage, we will automatically transfer mixed resources to https: //, so sites will continue to work automatically if their third-party resources are also available at https: //, Google explains. “Users will be able to enable the option to opt out of blocking mixed content on certain websites.”
Chrome 79 will be released on a stable channel in December 2019. There will appear a new setting to unlock mixed content on certain sites. This option will apply to scripts, frames, and other types of content that Chrome currently blocks by default. Access to the site settings (Site settings) is opened by clicking on the lock icon, as shown in the screenshot.
In the second stage, from the version of Chrome 80 (early versions will appear in January 2020), all resources, except images that are downloaded from insecure sites, will be automatically transferred to https: //, and Chrome will block them by default if they cannot load via . The unlock setting described above will remain available.
The only exception will be images that the browser will not block even from insecure connections. But for such situations, the warning “Not Safe” appears in the interface, as in the screenshot.
In Chrome 81 (early versions will appear in February 2020), images will also be automatically transferred to https: //, and Chrome will block them by default if they are not uploaded via HTTPS.
Google recommends that web developers audit their resources using the Lighthouse tool or use third-party plugins and utilities. For example, there is such a plugin for WordPress and a utility from Cloudflare .
See also the "Complete guide to the transition to HTTPS" on Habré.
Changes in Chrome will soon be repeated by other browsers. Google usually does not take such steps in isolation. Everything happens in concert with colleagues from the Firefox, Edge, and Safari development teams. Therefore, in 2020, no mixed content will be downloaded anywhere.
SPECIAL CONDITIONS for PKI solutions for enterprises are valid until 11/30/2019 under the promo code AL002HRFR for new customers. For details, contact the managers +7 (499) 678 2210, sales-ru@globalsign.com.
All Articles