Google today announced its latest steps for how Chrome labels HTTP and HTTPS sites. Starting in December 2019, Chrome will get a new setting to unblock mixed content (insecure HTTP subresources on HTTPS pages) on specific sites. And then in February 2020, Chrome will start autoupgrading mixed content to HTTPS pages. Google’s ultimate goal is to ensure HTTPS pages in Chrome can only load secure HTTPS subresources.
HTTPS is a more secure version of the HTTP protocol used on the internet to connect users to websites. Secure connections are widely considered a necessary measure to decrease the risk of users being vulnerable to content injection (which can result in eavesdropping, man-in-the-middle attacks, and other data modification). Data is kept secure from third parties, and users can be more confident they are communicating with the correct website.
Google has been pushing the web to HTTPS for a while now, coaxing developers to avoid using HTTP. The company has especially accelerated its efforts over the last two years by leveraging its Chrome browser. Chrome 56, released in January 2017, started marking HTTP pages that collect passwords or credit cards as “Not secure.” Chrome 62, released in October 2017, started marking HTTP sites with entered data and all HTTP sites viewed in Incognito mode as “Not secure.” Chrome 68, released in July 2018, marked all HTTP sites as not secure. Chrome 69, released in September 2018, removed the “Secure” wording from HTTPS sites. Chrome 70, released in October 2018, showed a red “Not secure” warning when users entered data.
Google shared today that Chrome users now spend over 90% of their browsing time on HTTPS (you can view the latest progress for yourself here). But Google isn’t done yet. The company is now turning its focus to mixed content. Browsers already block some mixed content by default, like scripts and iframes, but images, audio, and video are still allowed to load insecurely.
Timeline for upgrading mixed content to HTTPS
Chrome 79, coming in December 2019, will introduce a new setting to unblock mixed scripts, iframes, and other types of content that the browser already blocks by default. Users will be able to toggle this setting (lock icon on HTTPS pages => Site Settings). This will replace the shield icon that shows up at the right side of Chrome’s omnibox.
Chrome 80, coming in February 2020 (early channels in January), will autoupgrade mixed audio and video resources to HTTPS. If they fail to load over HTTPS, Chrome will block them by default. Mixed images will still be allowed to load, but they will cause Chrome to mark the page as “Not Secure” in the omnibox.
In Chrome 81, coming probably in April 2020 (early channels in February), mixed images will be autoupgraded to HTTPS. If they fail to load over HTTPS, Chrome will block them by default.
Google is hoping this timeline will motivate developers to migrate their website images to HTTPS. If you’re a developer looking to clean up your mixed content, you may want to check out the Content Security Policy, Lighthouse, and this HTTPS guide.