Starting next year, Google Chrome will get a lot tougher on websites that have not fully migrated to HTTPS and are still loading some page resources, such as images, audio, video, or scripts, via HTTP.
Known as "mixed content," this has been a problem since the first days when websites began migrating to HTTPS.
But for the past few years, browsers have ignored the problem of mixed content, as long as the main domain was loaded via HTTPS.
This was because, for the vast majority of the internet's history, HTTPS was an outlier, few websites used it, and wasn't considered a must-have technical requirement.
But in recent years, both Google and Mozilla have been heavily promoting the use of HTTPS, each in their own way.
For example, Mozilla and its partners launched a service called Let's Encrypt to provide server administrators with access to free and easy to use TLS certificates, so they can support HTTPS on their sites.
For its part, Google has been making constant changes to Chrome, today's most popular browser. The company has effectively "abused" its position as the dominant market player to set trends and instill new habits among website owners and end-users
For starters, it began showing "Not Secure" indicators on forms and login fields loaded over HTTP. Even if websites loaded via HTTPS, Chrome refused to show a green padlock if there was mixed content on the page. It also began blocking browser downloads on HTTPS pages, if the content was being downloaded via HTTP.
The company also changed its approach to HTTPS and HTTP websites. Instead of rewarding sites that moved to HTTPS by showing a "Secure" indicator in the URL bar, they're now showing a "Not Secure" indicator on HTTP sites, as a penalty for sites that failed to migrate to HTTPS.
All of this has been very successful and has helped nudge more and more website owners and online services towards using HTTPS.
"Chrome users now spend over 90% of their browsing time on HTTPS on all major platforms," Google engineers said in a blog post today.
But now Google is making its next step -- of eradicating mixed content on the web. Sites will need to move their HTTPS websites entirely to HTTPS, and not just the main domain.
"In a series of steps starting in Chrome 79, Chrome will gradually move to blocking all mixed content by default," Google said today.
"To minimize breakage, we will autoupgrade mixed resources to https://, so sites will continue to work if their subresources are already available over https://," it said.
In addition, to prevent users from being blocked from accessing legacy or abandoned sites, Google will also be making available a setting to opt out of mixed content blocking on particular websites.
Here are the company's upcoming plans: