What is mixed content? And why does Chrome block it?

Google Chrome has blocked some types of mixed content on the web. Now, Google says it will make this issue more serious. Starting in 2020, Chrome will block all mixed content by default, breaking some existing websites. So, what is mixed content? Why is Chrome blocking it?

1. What to do if Google Chrome warns an insecure website?
2. Do you know how to block websites on Chrome?
3. How to fix SSL connection error on Chrome and Firefox

What is mixed content?

There are two types of content here: content delivered over an encrypted, secure HTTPS connection, and content delivered over an unencrypted HTTP connection. When using HTTPS, content is not tracked or tampered with during transit, which is why important websites offer this encryption when handling financial information or private data.

The web is turning to secure HTTPS sites. If you visit an older HTTP site without encryption, Google Chrome will warn you that these sites are Not secure. Now, Google even hides 'htttp: //' by default. And the new HTTP / 3 standard will have integrated encryption.

But some websites may not be completely HTTPS or HTTP. Some websites are delivered over a secure HTTPS connection, but images, scripts, or other resources over an unencrypted HTTP connection. Such sites have mixed content because they are not completely secure. The site itself cannot be faked, but images, scripts, or iframes (web pages within a frame on another site) may be spoofed.

Why is mixed content not good?

What is mixed content? And why does Chrome block it? Picture 1

Mixed content is confusing. You are viewing a website that is both safe and unsafe. For example, a website that is usually safe and secure can retrieve a JavaScript file via HTTP. That script can be modified if you are using an unreliable public Wi-Fi network to do a lot of bad things on the web from tracking your keystrokes to inserting tracking cookies.

1. Things to know when using wifi in public

While scripts and iframes - active content - are the most dangerous, even images, videos and audio-mixed content can be at risk. For example, imagine you are viewing a secure stock trading website that takes pictures of stock history via HTTP when the image is not secure, it can be faked in transit to show Show incorrect information. In addition, because it is transported over an unencrypted connection, anyone who is snooping on the data during transit knows the type of stock you're looking at.

That is why mixed content is not good. If the site uses HTTPS, all its resources will be shipped over HTTPS. The site is gradually upgraded to HTTPS. However, they do not always update to use HTTPS resources or depend on third-party resources that do not support HTTPS.

Currently, Google and other browser vendors make mixed content more difficult, forcing the site to clean up everything so it can continue to work by default.

So what exactly does Chrome change?

Chrome currently blocks mixed scripts and iframes. In Chrome 80, which will be released early in January 2020, Chrome will block mixed audio and video resources. Technically, it will try to download them over a secure HTTPS connection and block them if not over a secure connection. Mixed images may load, but Chrome will notify the site that it is unsafe. In Chrome 81, Chrome will stop loading mixed images. Users can allow mixed content downloads but cannot download by default.

These actions will make the web more secure. The blog post on Google says it hopes the 'Not Secure' announcement will be the driving force for websites to transfer their images over HTTPS.

How Chrome allows to unblock mixed content

What is mixed content? And why does Chrome block it? Picture 2

Chrome has blocked some types of mixed content with the shield icon in the address bar and the message Insecure content blocked. To unblock a mixed script, you must click on the link named Load unsafe scripts .

If you agree to run mixed content, the site changes from Secure to Not Secure .

What is mixed content? And why does Chrome block it? Picture 3

Google will simplify this in Chrome 79, released in December 2019. You will have to click on the lock icon to the left of the page address, click on Site Settings and then unblock mixed content for that site.

This option is a bit difficult to find, but that is why most users should not enable mixed content for the site. Website developers need site editing to provide secure resources. This option ensures that those who use the older business website will still be able to continue to access it, even if mixed content is disabled for everyone.

If you need a website that requires this, you don't need to worry. Google did not announce the date it removed the option to download mixed content on Chrome. Google's web browser will block mixed content by default but will continue to offer the option to enable it in the near future.

So what about other web browsers?

What is mixed content? And why does Chrome block it? Picture 4

Chrome is not alone in this war. Firefox also blocks mixed content like scripts and iframes, requiring users to click on the Disable protection for now setting to re-enable it. Hopefully Mozilla will follow in the footsteps of Google. Apple's Safari is also very active in blocking mixed content.

And of course, Microsoft's new Edge browser is based on the Chromium code that forms the foundation for Google Chrome and will work just like Chrome.