Google gets tougher on HTTPS with ban on mixed content
Starting next year, Google Chrome will get a lot tougher on websites that have not fully migrated to HTTPS and are still loading some page resources, such as images, audio, video, or scripts, via HTTP.
Known as "mixed content," this has been a problem since the first days when websites began migrating to HTTPS.
But for the past few years, browsers have ignored the problem of mixed content, as long as the main domain was loaded via HTTPS.
This was because, for the vast majority of the internet's history, HTTPS was an outlier, few websites used it, and wasn't considered a must-have technical requirement.
But in recent years, both Google and Mozilla have been heavily promoting the use of HTTPS, each in their own way.
For example, Mozilla and its partners launched a service called Let's Encrypt to provide server administrators with access to free and easy to use TLS certificates, so they can support HTTPS on their sites.
For its part, Google has been making constant changes to Chrome, today's most popular browser. The company has effectively "abused" its position as the dominant market player to set trends and instill new habits among website owners and end-users
For starters, it began showing "Not Secure" indicators on forms and login fields loaded over HTTP. Even if websites loaded via HTTPS, Chrome refused to show a green padlock if there was mixed content on the page. It also began blocking browser downloads on HTTPS pages, if the content was being downloaded via HTTP.
The company also changed its approach to HTTPS and HTTP websites. Instead of rewarding sites that moved to HTTPS by showing a "Secure" indicator in the URL bar, they're now showing a "Not Secure" indicator on HTTP sites, as a penalty for sites that failed to migrate to HTTPS.
90% of Chrome traffic is over HTTPS
All of this has been very successful and has helped nudge more and more website owners and online services towards using HTTPS.
"Chrome users now spend over 90% of their browsing time on HTTPS on all major platforms," Google engineers said in a blog post today.
But now Google is making its next step -- of eradicating mixed content on the web. Sites will need to move their HTTPS websites entirely to HTTPS, and not just the main domain.
"In a series of steps starting in Chrome 79, Chrome will gradually move to blocking all mixed content by default," Google said today.
"To minimize breakage, we will autoupgrade mixed resources to https://, so sites will continue to work if their subresources are already available over https://," it said.
In addition, to prevent users from being blocked from accessing legacy or abandoned sites, Google will also be making available a setting to opt out of mixed content blocking on particular websites.
Here are the company's upcoming plans:
- In Chrome 79, releasing to stable channel in December 2019, we'll introduce a new setting to unblock mixed content on specific sites. This setting will apply to mixed scripts, iframes, and other types of content that Chrome currently blocks by default. Users can toggle this setting by clicking the lock icon on any https:// page and clicking Site Settings. This will replace the shield icon that shows up at the right side of the omnibox for unblocking mixed content in previous versions of desktop Chrome.
- In Chrome 80, mixed audio and video resources will be autoupgraded to https://, and Chrome will block them by default if they fail to load over https://. Chrome 80 will be released to early release channels in January 2020. Users can unblock affected audio and video resources with the setting described above.
- Also in Chrome 80, mixed images will still be allowed to load, but they will cause Chrome to show a "Not Secure" chip in the omnibox. We anticipate that this is a clearer security UI for users and that it will motivate websites to migrate their images to HTTPS. Developers can use the upgrade-insecure-requests or block-all-mixed-content Content Security Policy directives to avoid this warning.
- In Chrome 81, mixed images will be autoupgraded to https://, and Chrome will block them by default if they fail to load over https://. Chrome 81 will be released to early release channels in February 2020.
Webmasters are advised to look into making sure their websites don't load any resources over HTTP anymore. This includes iframes, cookies, CSS files, JavaScript files, audio, video, and especially images. As a starting point, Google engineers recommended the following resources:
- Use Content Security Policy and Lighthouse's mixed content audit to discover and fix mixed content on your site.
- See this guide for general advice on migrating servers to HTTPS.
- Check with your CDN, web host, or content management system to see if they have special tools for debugging mixed content. For example, Cloudflare offers a tool to rewrite mixed content to https://, and WordPress plugins are available as well.