Google Chrome will block mixed content in the near future

[Karlston]

Google Chrome will block mixed content in the near future

Google Chrome will soon block all mixed content by default. Google revealed a plan in October that details how the company's Chrome browser will handle mixed content in the next release versions.

 

Mixed content refers to sites that load via HTTPS but use HTTP resources. A simple example is a site that loads an image via HTTP while the page itself is accessed via HTTPS. Chrome blocks scripts and iframes by default if they are loaded via HTTP on HTTPS sites but allows static content such as images to be displayed.

 

The behavior threatens the privacy and security of users according to Google as an "attacker could tamper with a mixed image of a stock chart to mislead investors, or inject a tracking cookie into a mixed resource load".

 

Starting with Chrome 79 Stable, expected to be released in December 2019, Chrome will gradually upgrade or block mixed content that it encounters.

 

 

The company announced the following timeline:

• Chrome 79 -- New option in Site Settings to unblock mixed content in Google Chrome for specific sites. Just click on the icon in front of the address and select Site Settings from the interface that opens; Chrome loads the Site Settings for the site in question. Locate Insecure Content to change it to Ask or Allow for that particular site.
• Chrome 80 -- Audio and Video resources will be upgraded to HTTPS automatically if possible. If that is not possible, they will be blocked.
• Chrome 80 -- Mixed images will still load but Chrome displays a "not secure" label in the address bar.
• Chrome 81 -- Mixed images will be upgraded to HTTPS if possible or blocked if that is not possible.

Chrome users may use the insecure content site setting to allow blocked resources on a particular site.

 

Mozilla, maker of Firefox, implemented a new preference in Firefox 60 to allow mixed content in the browser. It is turned off by default, however.

The impact

The change has an impact on image, video, and audio resources that are loaded via HTTP currently on HTTPS sites. Chrome attempts to upgrade these resources to HTTPS automatically but that will work only if the site the resources are loaded from supports it (meaning it supports HTTP and HTTPS). If that is not the case, the resources won't be loaded in Chrome 80 (video/audio) and Chrome 81 (images).

 

Chrome gets a new option in version 79 to allow these resources from being loaded if blocked by the browser; this is done to make sure that content does not break on certain sites that still have not been upgraded to HTTPS fully.

 

 

Source: Google Chrome will block mixed content in the near future (gHacks - Martin Brinkmann)

[steven36]

Thats not new news  i posted about it last month

 

Firefox has had a Mixed Content blocker since Firefox 23 -April 2013.

https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/

 

Here it is 2019 it still a problem blocking it on many sites break  images  and things so Google is going to push people to use Https they should of done this 6 years ago  because we been subject to it for years.  By now HTTPS is full of holes  and many sites HTTPS are hacked everyday so we need something better that why i use system wide encryption . It dont matter to me if the site uses HTTPS or not because there traffic is encrypted on my system regardless. 

 

And ad company is not going ever put anything useful in there browser . HTTPS dont protect you from there ads or there spying because its all served over HTTPS to begain with it just obfuscates there data sucker were you cant figure out what it does. Ask all those people hacked on Facebook serving up ads  if they were protected using HTTPS .

 

They need to look at there OS Android that is full of unsecure apps that use HTTP that are not browsers  it not even safe to use without a vpn really.   Browsers are only part of the problem. At lest on windows you can block apps with a firewall if they dont need internet . Microsoft is the biggest problem on  windows  and you  can block that too. And on Linux apps dont call home unless you using it  and it needs internet  unless you set your system up to auto update. Smartphones call home 24/7 and Chrome OS needs internet to even work. The problem is not HTTPS  the problem everything is designed to call home.

 

If it's online it can be remotely hacked regardless if  it uses HTTPS or HTTP  only thing HTTPS does is protect Google  and obfuscates traffic but it dont  hide what you do from Google . the goverment or anyone who is doing man in the middle attacks.   if Google and others didn't hide what they do with data they all be shut down. That why they throwing a fit over dns over https that one of the ways ISPs  do man in the middle attacks. If the ISPs do it you know the Government do it too. But using dns over https on Google Chrome is a oxymoron because they  only have providers that log. So theirs another man in the middle tracking you.  Unless your using encryption  that is not logged the point is moot.