Google announced that Chrome browser will begin blocking web pages with mixed content beginning December 2019. Publishers are urged to check their websites to make sure there are no resources that are being loaded using the insecure HTTP protocol.
What is Mixed Content
Mixed content is when a secure web page (loaded through HTTPS) also contains scripts, styles, images or other linked content that is served through the insecure HTTP protocol. This is called mixed content.
Mixed content presents a security risk for your site visitor as well as to your website.
According to Google’s developer page on mixed content:
“Mixed content degrades the security and user experience of your HTTPS site.
…Using these resources, an attacker can often take complete control over the page, not just the compromised resource.”
How Google Chrome Will Handle Mixed Content
Google Chrome handles mixed content by defaulting to block insecure content on secure pages. Mixed content refers to the situation where a secure website (using HTTPS) loads insecure resources such as images, videos, scripts, and stylesheets over HTTP.
Starting with Chrome version 81 (released in April 2020), Chrome began blocking mixed content downloads, which means that if a secure webpage tries to download a resource over an insecure connection, Chrome will block the download. This helps to protect users from malicious downloads that can be disguised as harmless resources.
In addition to blocking downloads, Chrome also shows a warning icon in the address bar of the browser, indicating that the page contains mixed content. Clicking on the icon provides additional information about the types of insecure resources that are being loaded, giving users an opportunity to make informed decisions about whether or not to continue using the site.
Overall, Google Chrome’s approach to mixed content helps to ensure that users are protected from potentially harmful resources while still allowing them to access the content they need on the web.
Currently Google loads pages with mixed content. Beginning in December 2019 with the introduction of Chrome 79, Google will do two things:
- Google will automatically upgrade http content to https if that resource exists on https.
- Google will introduce a toggle that a Chrome user can use to unblock insecure resources that Chrome is blocking.
Although this isn’t a full blocking, it might as well be because users may opt to back out of a site that displays a security warning.
This will be a bad experience for publishers and may lead to less sales, visitors and ad views.
Beginning in January 2020 Google will remove the unblocking option and begin blocking mixed content web pages.