Table of content
- What are mixed content, HTTPS and HTTP?
- What does blocking all insecure content by default mean?
- Google's schedule to make all the changes
- December 2019 (last year)
- January 2020
- February 2020
- Consequences of these essential changes
- Effect 1: - Loss of traffic and visitors
- Effect 2: - Some hidden content on your website
- Several approaches to solving the "mixed content" problem
- If the file URL is your website
- If the data URL is not your website
- Bulk changes to insecure "mixed content"...
- Make contact/s/ with your third-party supplier
- Conclusion
- Seven tips to strengthen the security of your web solutions based on my painful experience
Mixed content is content under a site that has an HTTPS certificate, but the resources are not secure. To further improve user privacy, Google announced on October 3, 2019 that it will migrate all insecure "mixed content" to HTTPS and block insecure content by default. In other words, users might not see some of the content on your website. If you are loading an insecure HTTP connection on a secure page, you should consider fixing them. We will come back to this announcement in more detail in this article. Also, we will see all the options you have in such cases.
What are mixed content, HTTPS and HTTP?
HTTP stands for "HyperText Transfer Protocol". It is a language used by the web to communicate requested resources between web clients and a server. HTTPS is the secure version of HTTP. To encrypt communication between a web client and a server, you need HTTPS. One of the advantages of HTTPS is that it prevents data transmitted between clients and servers from being easily corrupted or interpreted by malicious third parties. Mixed content is when your HTML document loads with both a secure HTTPS connection and an unsecured HTTP connection. For example, if you install an SSL certificate on your website and upload content such as images, scripts, or videos over an unsecured connection, we would say that your webpage is unsecured mixed content.
What does blocking all insecure content by default mean?
The above statement means that all content with an insecure connection will not display on a user's browser unless they allow it. This function was available on Chrome for scripting and iFrame. Google has just extended this functionality to all types of resources. You are asked to make some adjustments to your website. For example, I intentionally change the HTTPS of one of my JavaScript files to HTTP. You can see the error to your right. Also, you will see that the page stops loading content (because data is crucial).
Google's schedule to make all the changes
Below are some deadlines that are likely to be or will occur in how Chromium handles "mixed content".
December 2019 (last year)
Google released a stable channel in Chrome 79. A new setting helps unblock mixed content on specific sites. As announced by Google, a user can now toggle the configuration by clicking on the HTTPS lock. Previously, there was a red shield icon to the right of the URL.
January 2020
It was the turn of audio and video resources (Chrome 80). Therefore, if you have audio or video from an unsecured source, you will need to unlock the above setting. Note that you can make still images on Chrome 80. You will notice that your web page will display a "Not Secure" notice.
February 2020
Any "mixed content" you upload will not be displayed. Unless a user decides to enable the setting.
Consequences of these essential changes
In case you didn't understand, there are many effects related to this change. Here are a few :
Effect 1: – Loss of traffic and visitors
Few people will want to stay on a website if they feel the site is insecure. Even though the review wouldn't technically "harm" a visitor, they may feel threatened and leave. As a result, you may see a decrease in the number of your visitors. We all know that the popularity of a web page also depends on the number of visitors and the length of their stay.
Effect 2: – Some hidden content on your website
Unlike JavaScript, which doesn't necessarily display, people will quickly notice certain changes on your site. For example, if by default a user does not allow your insecure content to be displayed, what will be displayed will be blank spaces.
Several approaches to solving the "mixed content" problem
The source of "mixed content" could be:
- An image on your site
- Iframes or videos
- Script or style sheet
- Any other link
As a website owner, you may or may not have enough information about where the file is located on your server. The source can be directly in your code or in third-party resources. Below are the options to fix the problem.
If the file URL is your website
You can find the page template or the code that populates the page and change HTTP to HTTPS. For example, suppose you have an images.jpg image that causes the "Mixed Content" notice. To solve it you will need to locate where the file is and replace the "HTTP:" with "HTTPS:" Eventually you will have images.jpg
If the data URL is not your website
In this case, you will try to apply the above recommendation. Two things can happen; if the external site is secure, you will be fine. On the other hand, if it is not secure, you will still see the notice. At this point, I'll recommend that you either download the external file (if you're allowed to) or look for an alternative.
Bulk changes to insecure "mixed content"…
If you're using a database to power your site's content, all of your mixed content can live directly in your database. In this case, you must issue a request to apply the change to the entire "HTTP:" connection. The article below can guide you through the steps " How to create a domain without cookies ". Pay attention to the point "3. Update your SQL database with the following query" almost at the end of the article.
Make contact/s/ with your third-party supplier
Changing all "HTTP:" requests to "HTTPS:" may not be safe when dealing with third-party resources. For example, if you are using external software to display vlog on your website via iFrame or API, in case the medium is not secure, the change will not help. In this case, if you can, you can check with the provider for an SSL update. If not, check if you can have another secure resource to perform the same function.
Conclusion
The article was about a secure website that loaded insecure "mixed content". Throughout the report, we've discussed what it means to have insecure "mixed content." We have also seen the approaches to solving the problems. If you have a problem with loading insecure resources and you didn't get an answer in this article, can you tell us about your situation? We will be happy to help you. If you like this article, you might be interested in this one:
Leave a comments: