Below is a press release posted on the Chrome Blog. We strongly encourage our customers to consider whether their site has been updated to prevent « things » from breaking due to the lack of proper security promoted by Google Chrome.
Please contact us if you require assistance in understanding the current security settings of your website. Our website development team is ready to help you maintain and perpetuate your website content today.
Thursday, October 3, 2019
Update (April 6, 2020): Mixed images auto-upgrade was originally planned for Chrome 81, but will be delayed at least until Chrome 84. Check it out Chrome platform status entry for the latest information on when the mixed images will auto-upgraded and blocked if they fail to load via https: //. Sites with mixed images will continue to trigger the « Not Secure » warning.
Today we are announcing that Chrome will gradually begin to ensure that https: // pages can only load secure https: // subresources. In a series of steps described below, we will start to block mixed content (unsecured http: // sub-resources on https: // pages) by default. This change will improve user privacy and security on the web and present users with a clearer browser security UX.
Over the past few years, the web has made great progress on transition to HTTPS: Chrome users now spend over 90% of their browsing time on HTTPS on all major platforms. We are now working to make sure that HTTPS configurations on the web are secure and up to date.
HTTPS pages typically suffer from an issue called mixed content, where the page’s sub-resources are loaded insecurely on http: //. Browsers block many types of mixed content by default, like scripts and iframes, but images, audio, and video are still allowed to load, threatening user privacy and security. For example, an attacker could alter a mixed image of a stock chart to deceive investors, or inject a tracking cookie into a mixed resource load. Loading mixed content also leads to a confusing browser security UX, where the page is presented as neither secure nor insecure, but somewhere in between.
In a series of steps starting with Chrome 79, Chrome will gradually transition to blocking all mixed content by default. To minimize disruption, we’ll automatically upgrade mixed resources to https: //, so sites will continue to function if their subresources are already available on https: //. Users will be able to enable a setting to turn off mixed content blocking on particular websites, and below we will describe the resources available to developers to help them find and fix mixed content.
Instead of blocking all mixed content at once, we’re going to roll out this change in a series of steps.
- In Chrome 79, releasing on a stable channel in December 2019, we will introduce a new setting to unblock mixed content on specific sites. This setting will apply to mixed scripts, iframes, and other types of content that Chrome currently blocks by default. Users can toggle this setting by clicking the lock icon on any https: // page and clicking Site settings. This will replace the shield icon that appears on the right side of the omnibox to unblock mixed content in previous versions of Desktop Chrome.
- In Chrome 80, mixed audio and video assets will automatically upgrade to https: // and Chrome will block them by default if they fail to load through https: //. Chrome 80 will release on early release channels in January 2020. Users can unblock affected audio and video resources with the setting described above.
- Also in Chrome 80, mixed images will still be allowed to load, but Chrome will show a « Unsafe » chip in the omnibox. We anticipate that this is a clearer security UI for users and will encourage websites to migrate their images to HTTPS. Developers can use the unsecured upgrade requests or mixed-content-block Content security policy guidelines to avoid this warning. Here is the planned treatment:
- In Chrome 81, mixed images will automatically upgrade to https: //, and Chrome will block them by default if they fail to load through https: //. Chrome 81 will hit early launch channels in February 2020.
Resources for developers
Developers should immediately migrate their mixed content to https: // to avoid warnings and outages. Here are some resources:
- use Content Security Policy and HeadlightMixed content audit to discover and correct mixed content on your site.
- See this guide for general advice on migrating servers to HTTPS.
- Check with your CDN, web host, or content management system to see if they have special tools for debugging mixed content. For example, Cloudflare offers a tool to rewrite mixed content on https: // and WordPress plugins are also available.
Posted by Emily Stark and Carlos Joan Rafael Ibarra Lopez, Chrome Security Team
Contact Social Link to help you navigate through the updates needed to make sure your site is protected from breaking after this release.