Posted on November 10, 2020 by Aaron Johnson
Below is a press release posted on the Chrome blog. We highly encourage our clients to consider whether their site has been updated to prevent ‘stuff’ from breaking due to lacking the proper security being promoted by Google Chrome.
Please contact us if you need help with understanding your website’s current security settings. Our website development team is standing by ready to help you maintain and future proof your website content today.
Update (April 6, 2020): Mixed image auto upgrading was originally scheduled for Chrome 81, but will be delayed until at least Chrome 84. Check the Chrome Platform Status entry for the latest information about when mixed images will be auto-upgraded and blocked if they fail to load over https://. Sites with mixed images will continue to trigger the “Not Secure” warning.
Today we’re announcing that Chrome will gradually start ensuring that https:// pages can only load secure https:// subresources. In a series of steps outlined below, we’ll start blocking mixed content (insecure http:// subresources on https:// pages) by default. This change will improve user privacy and security on the web, and present a clearer browser security UX to users.
In the past several years, the web has made great progress in transitioning to HTTPS: Chrome users now spend over 90% of their browsing time on HTTPS on all major platforms. We’re now turning our attention to making sure that HTTPS configurations across the web are secure and up-to-date.
HTTPS pages commonly suffer from a problem called mixed content, where subresources on the page are loaded insecurely over http://. Browsers block many types of mixed content by default, like scripts and iframes, but images, audio, and video are still allowed to load, which threatens users’ privacy and security. For example, an attacker could tamper with a mixed image of a stock chart to mislead investors, or inject a tracking cookie into a mixed resource load. Loading mixed content also leads to a confusing browser security UX, where the page is presented as neither secure nor insecure but somewhere in between.
In a series of steps starting in Chrome 79, Chrome will gradually move to blocking all mixed content by default. To minimize breakage, we will autoupgrade mixed resources to https://, so sites will continue to work if their subresources are already available over https://. Users will be able to enable a setting to opt out of mixed content blocking on particular websites, and below we’ll describe the resources available to developers to help them find and fix mixed content.
Instead of blocking all mixed content all at once, we’ll be rolling out this change in a series of steps.
Developers should migrate their mixed content to https:// immediately to avoid warnings and breakage. Here are some resources:
Posted by Emily Stark and Carlos Joan Rafael Ibarra Lopez, Chrome security team
Contact Social Link to help navigate the updates necessary to ensure your site is secure from breaking after this release.