Having already introduced warnings in Chrome that let you know when you’re visiting a non-secure website – that is, HTTP rather than HTTPS – Google is taking things further and is planning to start blocking ‘mixed content’.
In future versions of Chrome, Google will block HTTP content that is loaded by encrypted HTTPS sites. The company is taking steps to address the problem of secure sites that pull in content – such as scripts, media files and iframes – that are not secure. It calls this mixed content.
The reason for wanting to lock this down further is that HTTP content can be interfered with. This means that an incorrect image could be displayed, or a malicious script could be run in the background.
As it has done with previous changes, the new security feature is going to rolled out gradually. Starting with Chrome 79, which is due to moved from development and beta testing channels for a mainstream release in December, Google will start to completely block mixed content.
At the same time, the company will also introduce a new toggle that will enable users to unblock mixed content on specific sites. Google also says that in order to minimise disruption, it will “autoupgrade mixed resources to https://, so sites will continue to work if their subresources are already available over https://”.