The majority of sites on the internet now use HTTPS. The purpose of using HTTPS is to encrypt data between the site and the browser. However, many sites have mixed content, which are assets like scripts, iframes, images, audio, and videos that are served unencrypted via HTTP.
The most dangerous mixed content to serve are unencrypted scripts and iframes. That’s why Chrome blocks them by default. However, other types of mixed content that currently aren’t blocked also pose a threat to users. Emily Stark and Carlos Joan Ibarra, software engineers at Google that focus on Chrome security, said
images, audio, and video are still allowed to load, which threatens users’ privacy and security.
An attacker could tamper with a mixed image of a stock chart to mislead investors, or inject a tracking cookie into a mixed resource load. Loading mixed content also leads to a confusing browser security UX, where the page is presented as neither secure nor non-secure but somewhere in between.
Emily and Carlos announced significant changes to Chrome that will affect how the browser processes mixed content. Starting with Chrome 80, the browser will begin blocking audio and video files served over HTTP in a mixed content environment. When Chrome 81 is released, it will block images that are served over HTTP in a mixed content environment.
|Asset Type||Chrome 79||Chrome 80||Chrome 81|
|Image||Not Blocked||Not Blocked||Blocked|
Chrome 80 will also begin autoupgrading assets using HTTP to HTTPS. If the assets can’t be served over HTTPS, they will be blocked and won’t render in the browser.
I asked Emily on Twitter how autoupgrade works, and she said,
the scheme gets rewritten to https:// before [it starts] to load the resource. That means the browser isn’t using a proxy. Instead, it’s merely changing the protocol used by the asset based on the upgrade request methodology outlined by W3C.
It’s likely this change will also affect how Googlebot parses and renders sites. Google uses an evergreen version of Chromium, which means if Chrome 80 and 81 block non-secure assets, so will Googlebot.