Chrome to block images, audio, and video that aren’t secure

To increase privacy and security, and to improve the user experience when people visit sites with mixed content (sites that serve assets with http and https), Google is transitioning Chrome to block all non-secure assets.

The majority of sites on the internet now use HTTPS. The purpose of using HTTPS is to encrypt data between the site and the browser. However, many sites have mixed content, which are assets like scripts, iframes, images, audio, and videos that are served unencrypted via HTTP.

The most dangerous mixed content to serve are unencrypted scripts and iframes. That’s why Chrome blocks them by default. However, other types of mixed content that currently aren’t blocked also pose a threat to users. Emily Stark and Carlos Joan Ibarra, software engineers at Google that focus on Chrome security, said images, audio, and video are still allowed to load, which threatens users’ privacy and security.

An attacker could tamper with a mixed image of a stock chart to mislead investors, or inject a tracking cookie into a mixed resource load. Loading mixed content also leads to a confusing browser security UX, where the page is presented as neither secure nor non-secure but somewhere in between.

Emily and Carlos announced significant changes to Chrome that will affect how the browser processes mixed content. Starting with Chrome 80, the browser will begin blocking audio and video files served over HTTP in a mixed content environment. When Chrome 81 is released, it will block images that are served over HTTP in a mixed content environment.

Chrome browser timeline for blocking unencrypted assets
Asset TypeChrome 79Chrome 80Chrome 81
ImageNot BlockedNot BlockedBlocked
AudioNot BlockedBlockedBlocked
VideoNot BlockedBlockedBlocked
IframeBlockedBlockedBlocked
ScriptBlockedBlockedBlocked

Chrome 80 will also begin autoupgrading assets using HTTP to HTTPS. If the assets can’t be served over HTTPS, they will be blocked and won’t render in the browser.

I asked Emily on Twitter how autoupgrade works, and she said, the scheme gets rewritten to https:// before [it starts] to load the resource. That means the browser isn’t using a proxy. Instead, it’s merely changing the protocol used by the asset based on the upgrade request methodology outlined by W3C.

It’s likely this change will also affect how Googlebot parses and renders sites. Google uses an evergreen version of Chromium, which means if Chrome 80 and 81 block non-secure assets, so will Googlebot.

Jon is the founder and Managing Editor of Coywolf. He is a serial entrepreneur with over 25 years of experience in web development, SaaS, internet strategy, and digital marketing. Follow @henshaw

Never miss an important story – Subscribe to Newsletter