Google has announced that they will be cracking down on page resources in order to ensure that https pages can only load https sub-resources. This change is going to be gradually enforced in different steps throughout the next few updates of their browser, from Chrome 79 to Chrome 81 (We are currently on Chrome 77).
These steps will be implemented as below:
- In Chrome 79, releasing to a stable channel in December 2019, Google will introduce a new setting to unblock mixed content on specific sites. This setting will apply to mixed scripts, iframes, and other types of content that Chrome currently blocks by default. Users can toggle this setting by clicking the lock icon on any https:// page and clicking Site Settings. This will replace the shield icon that shows up at the right side of the omnibox for unblocking mixed content in previous versions of desktop Chrome.
- In Chrome 80, mixed audio and video resources will be auto-upgraded to https://, and Chrome will block them by default if they fail to load over https://. Chrome 80 will be released to early release channels in January 2020. Users can unblock affected audio and video resources with the setting described above.
- Also in Chrome 80, mixed images will still be allowed to load, but they will cause Chrome to show a “Not Secure” chip in the omnibox. We anticipate that this is a clearer security UI for users and that it will motivate websites to migrate their images to HTTPS. Developers can use the upgrade-insecure-requests or block-all-mixed-content Content Security Policy directives to avoid this warning.
- In Chrome 81, mixed images will be auto-upgraded to https://, and Chrome will block them by default if they fail to load over https://. Chrome 81 will be released to early release channels in February 2020.
Ensuring that all resources are migrated to https can be done within a CDN, web host or content management system. We would recommend focusing on migrating these in the order that they will be blocked within Google Chrome:
- Scripts, iFrames will be targeted in December 2019
- Audio, video and images will be targeted in January 2020
This is important because any non-secure resource could be blocked by Chrome – including images, videos, audio, JavaSript/CSS files, and even tracking pixels and scripts, both internally and externally hosted.
Chrome is still the leading browser across all devices and is currently standing at 63.72%, with the closest competitor being Safari, at 16.34% market share. It’s plausible that other browsers could follow suit and also block mixed content.
We would recommend that all resources are migrated to https as soon as possible, as this will remove the risk of users not being able to correctly view your site and will also ensure that your content is not blocked by Google in January 2020 when they remove the option to unblock resources.
by Zack Cornick