Google today announced that browser Chrome will gradually start ensuring that https:// pages can only load secure https:// subresources.
From December 2019, Chrome will start blocking mixed content (insecure http:// subresources on https:// pages) by default. This change will improve user privacy & security on the Web, it said.
Chrome users now spend over 90% of their browsing time on HTTPS on all major platforms. Now, Google said, it was turning attention to making sure that HTTPS configurations across the Web were secure & up-to-date.
HTTPS pages commonly suffer from a problem called mixed content, where subresources on the page are loaded insecurely over http://. Browsers block many types of mixed Content by default, like scripts & iframes, but images, audio, & video are still allowed to load, which threatens users’ privacy & security. For example, Google said, an attacker could tamper with a mixed image of a stock chart to mislead investors, or inject a tracking cookie into a mixed resource load.
Loading mixed Content also leads to a confusing browser security UX, where the page is presented as neither secure nor insecure but somewhere in between.
In a series of steps starting in Chrome 79, Chrome will gradually move to blocking all such mixed Content by default.
To minimize breakage, we will autoupgrade mixed resources to https://, so Sites will continue to work if their subresources are already available over https://. Users will be able to enable a setting to opt out of mixed Content blocking on particular websites.
– Google
To understand how exactly all this will happen, click here.
