We’ve written about how Google has been flagging websites that don’t have SSL Certificate encryption (HTTPS) as ‘Not secure’ since 2018. Now the Internet Giant has gone one step further to show how serious they are about website security.
On October 3, the Chrome Security Team announced they will be blocking non-HTTPS subresources on HTTPS websites. This is called mixed content. Subresources are stuff like images, audio, video, scripts, and iframes that make your web pages more informative or interesting. Soon, even though you have an SSL Certificate (HTTPS) protecting your website, if any of your web pages have subresources which load over HTTP (an unsecured transfer channel), they’re going to be a no-no.
This may sound a little over the top at first, but it’s actually a really sensible move. Google wants to be sure that people viewing web pages on their browsers are safe. Mixed content is kind of like locking the door (with SSL Certificate protection for your website), but leaving the windows unlocked (images, videos, etc. on your web pages that load up without SSL encryption).
How will it happen?
Don’t panic, you won’t suddenly have parts of your web pages blocked and inaccessible. Google is going to phase this roll out in stages, over the next few Chrome releases:
Chrome 79, December 2019 ‒ blocked mixed content by default will have a new setting to be unblocked. Instead of seeing the usual shield icon to unblock subresources, you’ll now click the padlock icon and select Site Settings.
Chrome 80, January 2020 ‒ mixed audio and video resources will be upgraded to HTTPS automatically, but if they fail to load securely, Chrome will block them by default. Users will still be able to unblock the content in Site Settings, but Google will flag them as ‘Not secure’ (not exactly something to give site visitors confidence in your website).
Chrome 81, February 2020 ‒ the same thing will happen with mixed images. They’ll be upgraded to HTTPS automatically, but if they fail to load securely, Chrome will block them by default.
What To Do About It
To avoid the ‘Not secure’ flag showing in the Chrome 80 and 81 releases, Google advises you have your website developers use one of these Content Security Policy directives: upgrade-insecure-requests or block-all-mixed-content.
Scroll to the bottom of the Google announcement for more information about what website developers can do to prevent mixed content from getting blocked.
To create the safest online environment possible for website users, Google is taking an even stronger stand against websites that aren’t secured by SSL encryption. Their policy of flagging unprotected (non-HTTPS) websites as ‘Not secure’ will soon extend to mixed content on web pages like images, video, and audio. If they don’t come from an SSL protected source, they will also be blocked by default from loading on Chrome browsers.
This change will happen over 3 Chrome releases, from December 2019 to February 2020, so make sure that your mixed content is HTTPS compliant. Don’t think of it as a headache. Think of it as keeping both the door and windows locked, so your website visitors are completely safe.