Chrome to block images, audio, and video that aren’t secure

To increase privacy and security, and to improve the user experience when people visit sites with mixed content (sites that serve assets with http and https), Google is transitioning Chrome to block all non-secure assets.

The majority of sites on the internet now use HTTPS. The purpose of using HTTPS is to encrypt data between the site and the browser. However, many sites have mixed content, which are assets like scripts, iframes, images, audio, and videos that are served unencrypted via HTTP.

The most dangerous mixed content to serve are unencrypted scripts and iframes. That’s why Chrome blocks them by default. However, other types of mixed content that currently aren’t blocked also pose a threat to users. Emily Stark and Carlos Joan Ibarra, software engineers at Google that focus on Chrome security, said images, audio, and video are still allowed to load, which threatens users’ privacy and security.

An attacker could tamper with a mixed image of a stock chart to mislead investors, or inject a tracking cookie into a mixed resource load. Loading mixed content also leads to a confusing browser security UX, where the page is presented as neither secure nor non-secure but somewhere in between.

Emily and Carlos announced significant changes to Chrome that will affect how the browser processes mixed content. Starting with Chrome 80, the browser will begin blocking audio and video files served over HTTP in a mixed content environment. When Chrome 81 is released, it will block images that are served over HTTP in a mixed content environment.

Asset TypeChrome 79Chrome 80Chrome 81
ImageNot BlockedNot BlockedBlocked
AudioNot BlockedBlockedBlocked
VideoNot BlockedBlockedBlocked

Chrome 80 will also begin autoupgrading assets using HTTP to HTTPS. If the assets can’t be served over HTTPS, they will be blocked and won’t render in the browser.

I asked Emily on Twitter how autoupgrade works, and she said, the scheme gets rewritten to https:// before [it starts] to load the resource. That means the browser isn’t using a proxy. Instead, it’s merely changing the protocol used by the asset based on the upgrade request methodology outlined by W3C.

It’s likely this change will also affect how Googlebot parses and renders sites. Google uses an evergreen version of Chromium, which means if Chrome 80 and 81 block non-secure assets, so will Googlebot.

Related News

Jon is the founder of Coywolf and the EIC and the primary author reporting for Coywolf News. He is an industry veteran with over 25 years of digital marketing and internet technologies experience. Follow @henshaw