What Is “Mixed Content,” and Why Is Chrome Blocking It?
Google Chrome already blocks some types of “mixed content” on the web. Now, Google announced it’s getting even more serious: Starting in early 2020, Chrome will block all mixed content by default, breaking some existing web pages. Here’s what that means.
What Is Mixed Content?
There are two types of content here: Content delivered over a secure, encrypted HTTPS connection, and content delivered over an unencrypted HTTP connection. When you use HTTPS, content can’t be snooped on or tampered with in transit, which is why it’s critical websites offer encryption when dealing with financial information or private data.
The web is moving to secure HTTPS websites. If you connect to an older HTTP website without encryption, Google Chrome now warns you these websites are “not secure.” Google now even hides the “https://” indicator by default, as sites should just be secure by default. And the new HTTP/3 standard will have built-in encryption.
But some web pages can be neither entirely HTTPS nor completely HTTP. Some web pages are delivered over a secure HTTPS connection, but they pull in images, scripts, or other resources via an unencrypted HTTP connection. Such web pages have “mixed content” because they’re not fully secure. The web page itself couldn’t be tampered with, but it may pull in a script, image, or iframe (a web page inside a “frame” on another web page) that could have been tampered with.
Why Mixed Content Is Bad
Mixed content is confusing. You’re somehow viewing a web page that’s both secure and not secure. For example, a usually safe and secure web page could pull in a JavaScript file via HTTP. That script could be modified for instance, if you’re on a public Wi-Fi network that isn’t trustworthy to do many nasty things on the web page, from monitoring your keystrokes to inserting a tracking cookie.
While scripts and iframes“active content” are the most dangerous, even images, videos, and audio-mixed content could be risky. For example, imagine you’re viewing a secure stock trading website that pulls in an image of a stock’s history via HTTP. That image isn’t secure it could have been tampered with in transit to show incorrect details. Also, because it was delivered over an unencrypted connection, anyone snooping on the data in transit likely knows what stock you’re looking at.
It’s a bad idea to mix content like this. If a web page is using HTTPS, all its resources should be pulled in via HTTPS as well. It’s just a historical accident the web started with HTTP, and websites gradually upgraded to HTTPS. As they did, they didn’t always update to use HTTPS resources everywhere. Or, they may have depended on a third-party resource that didn’t support HTTPS at the time.
Now, with Google and other browser vendors making mixed content more difficult and discouraging, websites will have to clean things up so their web pages will continue working by default.
What Exactly Is Changing in Chrome?
Chrome currently blocks mixed scripts and iframes. In Chrome 80, which will be released to early release channels in January 2020, Chrome will block mixed audio and video resources technically, it will try to load them over a secure HTTPS connection instead and block them if they won’t. Mixed images will load, but Chrome will say the web page is “Not Secure.” In Chrome 81, Chrome will stop loading mixed images, too. Users can allow the mixed content to load, but it won’t by default.
It’s all part of making the web more secure. Google’s blog post says that it expects the “Not Secure” message “will motivate websites to migrate their images to HTTPS.”
How Chrome Will Let You Unblock Mixed Content
Chrome already blocks some types of mixed content with a shield icon in the address bar and an “Insecure content blocked” message. You can see how it works on this mixed content example page created by Google. For example, to unblock a mixed content script, you have to click a link named “Load unsafe scripts.”
If you agree to run the mixed content, the web page changes from Secure to Not Secure.
Google will be simplifying this in Chrome 79, which will be released sometime in December 2019. You’ll have to click the lock icon to the left of the page’s address, click “Site Settings,” and then unblock mixed content for that site.
The option becomes more buried, but that’s the point: Most people should never need to enable mixed content for a site. Website developers need to fix their websites to deliver resources securely. This option will ensure anyone using an older business site can continue accessing it, even while mixed content is disabled for everyone.
If you need a site that requires this, don’t worry: Google hasn’t announced a date when it’s removing the option to load mixed content in Chrome. Google’s web browser will be blocking all mixed content by default but will continue offering an option to enable mixed content for the foreseeable future.
What About Other Browsers?
Chrome isn’t alone. Firefox blocks mixed content like scripts and iframes, too, and requires you click a “Disable protection for now” setting to reenable it. We expect Mozilla to follow in Google’s footsteps. Apple’s Safari is aggressive about blocking mixed content, too.
And, of course, Microsoft’s new Edge browser will be based on the Chromium code that forms the basis for Google Chrome and will behave like Chrome.