{"id":1130,"date":"2019-10-11T07:39:07","date_gmt":"2019-10-11T14:39:07","guid":{"rendered":"https:\/\/www.ssls.com\/blog\/?p=1130"},"modified":"2023-09-27T13:16:14","modified_gmt":"2023-09-27T20:16:14","slug":"no-more-mixups-google-gets-even-stricter-about-https","status":"publish","type":"post","link":"https:\/\/www.ssls.com\/blog\/no-more-mixups-google-gets-even-stricter-about-https\/","title":{"rendered":"No more mixups: Google gets even stricter about HTTPS"},"content":{"rendered":"
We\u2019ve written about how Google has been flagging websites that don\u2019t have SSL Certificate<\/a> encryption (HTTPS) as \u2018Not secure\u2019 since 2018. Now the Internet Giant has gone one step further to show how serious they are about website security.<\/pre>\n\n\n\n\n\n
What\u2019s up<\/h2>\n
On October 3, the Chrome Security Team announced they will be blocking non-HTTPS subresources on HTTPS websites. This is called mixed content. Subresources are stuff like images, audio, video, scripts, and iframes that make your web pages more informative or interesting. Soon, even though you have an SSL Certificate (HTTPS) protecting your website<\/a>, if any of your web pages have subresources which load over HTTP (an unsecured transfer channel), they\u2019re going to be a no-no.<\/p>\n
This may sound a little over the top at first, but it\u2019s actually a really sensible move. Google wants to be sure that people viewing web pages on their browsers are safe. Mixed content is kind of like locking the door (with SSL Certificate protection<\/a> for your website), but leaving the windows unlocked (images, videos, etc. on your web pages that load up without SSL encryption<\/a>).<\/p>\n
How will it happen?<\/h2>\n
Don\u2019t panic, you won\u2019t suddenly have parts of your web pages blocked and inaccessible. Google is going to phase this roll out in stages, over the next few Chrome releases:<\/p>\n
Chrome 79, December 2019 \u2012 blocked mixed content by default will have a new setting to be unblocked. Instead of seeing the usual shield icon to unblock subresources, you\u2019ll now click the padlock icon and select Site Settings.<\/p>\n
Chrome 80, January 2020 \u2012 mixed audio and video resources will be upgraded to HTTPS automatically, but if they fail to load securely, Chrome will block them by default. Users will still be able to unblock the content in Site Settings, but Google will flag them as \u2018Not secure\u2019 (not exactly something to give site visitors confidence in your website).<\/p>\n
Chrome 81, February 2020 \u2012 the same thing will happen with mixed images. They\u2019ll be upgraded to HTTPS automatically, but if they fail to load securely, Chrome will block them by default.<\/p>\n
What To Do About It<\/h3>\n
To avoid the \u2018Not secure\u2019 flag showing in the Chrome 80 and 81 releases, Google advises you have your website developers use one of these Content Security Policy directives: upgrade-insecure-requests<\/a> or block-all-mixed-content<\/a>.<\/p>\n
Scroll to the bottom of the Google announcement<\/a> for more information about what website developers can do to prevent mixed content from getting blocked.<\/p>\n
Wrap up<\/h3>\n
To create the safest online environment possible for website users, Google is taking an even stronger stand against websites that aren\u2019t secured by SSL encryption<\/a>. Their policy of flagging unprotected (non-HTTPS) websites as \u2018Not secure\u2019 will soon extend to mixed content on web pages like images, video, and audio. If they don\u2019t come from an SSL protected<\/a> source, they will also be blocked by default from loading on Chrome browsers.<\/p>\n
This change will happen over 3 Chrome releases, from December 2019 to February 2020, so make sure that your mixed content is HTTPS compliant. Don\u2019t think of it as a headache. Think of it as keeping both the door and windows locked, so your website visitors are completely safe.<\/p>","protected":false},"excerpt":{"rendered":"
We\u2019ve written about how Google has been flagging websites that don\u2019t have SSL Certificate encryption (HTTPS) as \u2018Not secure\u2019 since 2018. Now the Internet Giant has gone one step further to show how serious they are about website security.<\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1130","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts\/1130","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/comments?post=1130"}],"version-history":[{"count":7,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts\/1130\/revisions"}],"predecessor-version":[{"id":2665,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts\/1130\/revisions\/2665"}],"wp:attachment":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/media?parent=1130"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/categories?post=1130"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/tags?post=1130"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}