Google migrates insecure “mixed content” to HTTPS in Chrome and blocks all insecure content by default

This article explains how to migrate all insecure "mixed content" to HTTPS and block insecure content by default. Here are some approaches to solving the "mixed content" problem: locate the page template or code that fills the page and change http to https; download external files before making changes; launch a request to apply the changes to the entire http.

Google migrates insecure

Mixed content is content under an HTTPS certificate site, but the resources are not secure.

To further improve user privacy protection, Google announced on October 3, 2019, that it would migrate all insecure “mixed content” to HTTPS and block insecure content by default. In other words, users might not see some content on your website. If you are loading an unsecured HTTP connection on a secure page, you should think about fixing them. We will come back to this announcement in more detail in this article. Besides, we will see all the options available to you in such cases.

What are mixed content, HTTPS and HTTP?

HTTP stands for “HyperText Transfer Protocol.” It is a language used by the web to communicate requested resources between web clients and a server. HTTPS is the secure version of HTTP. To encrypt the communication between a web client and a server, you need HTTPS. One of the advantages of HTTPS is that it prevents data transmitted between clients and servers from being easily corrupted or interpreted by malicious third parties.

We talk about mixed content when your HTML document loads with both a secure HTTPS connection and an unsecured HTTP connection. For example, if you install an SSL certificate on your website and upload content like images, scripts, or videos over an insecure connection, we’ll say your web page is unsecured mixed content.

What does blocking all unsafe content by default mean?

The above statement means that all content with an insecure connection will not display on a user’s browser unless they allow it. This feature was available on Chrome for script and iFrame. Google has just extended this functionality to all types of resources. You are asked to make some adjustments to your website.

For example, I intentionally change the HTTPS of one of my JavaScript files to HTTP. You can see the error to your right. Additionally, you will see that the page stops loading content (because data is crucial).

Google calendar to make all changes

Below are some deadlines that are likely to be or occur in the way chromium treats “mixed content.”

December 2019 (last year)

Google released a stable channel in Chrome 79. A new setting is used to unblock mixed content on specific sites. As announced by Google, a user can now toggle the configuration by clicking on the HTTPS lock. Previously there was a red shield icon to the right of the URL.

January 2020

It was the turn of audio and video resources (Chrome 80). Therefore, if you have audio or video from an insecure source, you will need to unlock the above setting.

Note that you can still do images on Chrome 80. You will notice that your web page will display a “Not Secure” notice.

February 2020

Any “mixed content” you upload will not be displayed unless a user decides to enable the setting.

Consequences of the changes

In case you did not understand, there are many effects associated with this change. Here are a few :

Effect 1: – Loss of traffic and visitors

Not many people will want to stay on a website if they feel the site is not secure. Although the notice would not technically “harm” a visitor, they may feel threatened and leave. As a result, you may see a decrease in the number of your visitors. We all know that a web page’s popularity also depends on the number of visitors and the length of their stay.

Effect 2: – Some hidden content on your website

Unlike JavaScript, which doesn’t necessarily display, people will quickly notice certain changes on your site. For example, if, by default, a user does not allow viewing of your unsafe content, what will be displayed will be blank spaces.

Several approaches to solve the problem of “mixed content

The source of “mixed content” could be:

  • An image on your site
  • Iframes or videos
  • Script or stylesheet
  • Any other link

As the owner of a website, you may or may not have enough information about the file’s location on your server. The source can be found directly in your code or third-party resources. Below are the options to resolve the issue.

If the URL of the file is your website

You can find the page template or the code that fills the page and change HTTP to HTTPS. For example, suppose you have an image https://prositeweb.ca/images.jpg that causes the “Mixed Content” notice. To resolve it, you will need to locate where the file is and replace the “HTTP:” with “HTTPS:” Eventually, you will have https://prositeweb.ca/images.jpg.

If the data URL is not your website

In this case, you will try to apply the above recommendation. Two things can happen; if the external site is secure, you will be fine. However, if it is not secure, you will still see the notice. At this point, I will recommend that you either download the external file (if you have the right) or look for an alternative.

Bulk changes on unsecured “mixed content” …

If you use a database to feed content on your site, all of your mixed content can be found directly in your database. In this case, you must issue a request to apply the change to the entire “HTTP:” connection. The article below can guide you through the steps How to create a domain without cookies “. Pay attention to the point “3. Update your SQL database with the following query” almost at the end of the article.

Contact your third-party provider.

Changing all requests from “HTTP:” to “HTTPS:” may not be safe when dealing with third-party resources. For example, if you are using external software to display vlogs on your website via iFrame or API, the change will not be helpful if the media is not secure. In this case, if you can, you can check with the provider for an SSL update. Otherwise, check if you can have another secure resource to perform the same function.

Conclusion

The article was about a secure website that uploaded unsecured “mixed content.” Throughout the report, we have discussed what it means to have insecure “mixed content.” We also saw the approaches to solving the problems.

If you have a problem with loading insecure resources, and you did not get an answer in this article, can you tell us about your situation? We will be happy to help you.

If you like this article, this one might interest you:

Seven tips to strengthen the security of your web solutions based on my painful experience

 

 

Leave a Reply

Do you want a quality website, ecommerce or tools?

Please leave us a message, and an expert will contact you within the next few hours for a free 15 min consultation

Free Estimate