Google Chrome already blocks some types of "mixed content" on the web. Now Google has announced that it will be even more serious: From the beginning of 2020, Chrome will block all mixed content by default and break some existing websites. This means the following:
What is mixed content?
There are two types of content: content that is delivered over a secure, encrypted HTTPS connection and content that is delivered over an unencrypted HTTP connection. If you use HTTPS, content can not be snooped or manipulated during transmission. Because of this, major websites provide encryption when handling financial information or private information.
The Web is being moved to protect HTTPS sites. If you connect to an older HTTP site without encryption, Google Chrome now warns you that these sites are "not secure." Google now even hides the "https: //" indicator by default, as by default websites should only be secure. The new HTTP / 3 standard will have built-in encryption.
However, some web pages can not be HTTPS or HTTP. Some web pages are delivered over a secure HTTPS connection, but they retrieve images, scripts, or other resources over an unencrypted HTTP connection. Such websites contain "mixed content" because they are not completely secure. The web page itself could not be manipulated, but could include a script, image, or iframe (a web page within a "frame" on another web page) that could be manipulated.
Why Mixed Content Is Bad
While scripts and iframes – "active content" – are the most dangerous, even pictures, videos and audio mix content can be risky. For example, consider a secure stock trading website that retrieves a stock history image over HTTP. This image is not safe – it could have been compromised during transmission to display incorrect details. Since the delivery was made over an unencrypted connection, probably anyone who queries the data during the transfer will know which stock you are currently viewing.
It's a bad idea to mix such content. If a website uses HTTPS, all resources should also be retrieved over HTTPS. It's just a historical accident – the web started with HTTP and the sites were gradually upgraded to HTTPS. It was not always updated to use HTTPS resources everywhere. They may also need a third-party resource that HTTPS did not support at that time.
Considering the fact that Google and other browser providers complicate and discourage mixed content, websites must continue to clean up content by default.
What's going on in Chrome?
Chrome is currently blocking mixed scripts and iframes. Chrome will block mixed audio and video resources in Chrome 80, which will be released for early-release channels in January 2020. Technically, an attempt is made to load and block them over a secure HTTPS connection if this is not the case. Mixed images are loading, but Chrome reports that the page is "Not Safe." In Chrome 81, Chrome also stops loading mixed images. Users can allow mixed content to load, but this is not the default.
All this helps to increase the security of the Web. Google's blog post states that the message "Not sure" "motivates websites to migrate their images to HTTPS."
How Chrome Unlocks Mixed Content
Chrome is already blocking some types of mixed content with a shield icon in the address bar and the message "Unsafe Content Blocked." You can see how it works on this Google-created mixed-content sample page. For example, to unlock a mixed-content script, you must click a link called "Load unsafe scripts."
If you agree to execute the mixed content, the site changes from Safe to Not Safe.
Google simplifies this in Chrome 79, which will be released sometime in December 2019. You'll need to click the lock icon in on the left of the page's address, click Site Settings, and then unlock the mixed content for that site.
The option is getting more and more extensive, but that's the point: most users should never have to enable mixed content for a site. Website developers need to repair their websites to securely deploy resources. This option ensures that anyone using an older corporate website will still be able to access it, even if mixed content is disabled for all.
If you need a website that needs it, you do not have to worry: Google did not announce a date Removing the option to load mixed content into Chrome. By default, Google's web browser will block all mixed content, but will continue to have the option to enable mixed content for the foreseeable future.
What about other browsers?
Chrome is not alone. Firefox also blocks mixed content such as scripts and iframes, and requires you to click the "Disable protection now" setting to enable it again. We expect Mozilla to follow in Google's footsteps. Apple's Safari is also aggressive in terms of blocking mixed content.
And of course, Microsoft's new Edge browser will be based on Chromium code, which is the foundation for Google Chrome and acts like Chrome.
RELATED: Why does Google Chrome say websites are "not safe"?