HTML is the foundational language for how all web pages are coded. By design, HTML code delivered by a web server is publicly accessible, and it’s how browsers like Chrome, Safari, and Firefox process and display web pages. Keeping HTML publicly accessible is essential for standardization, rendering, and security.
In October 2021, the Missouri Governor, Mike Parson, claimed that viewing HTML source code was the equivalent to hacking. Web development and security experts immediately discredited the assertion. Shaji Khan, the cybersecurity professor who helped uncover the flaw, also declared that the state’s only crime committed was by the state.
The controversy created by the Missouri Governor coincided with an update to Chromium that makes it possible to prevent users from viewing the HTML source code of a web page. The patch immediately got the attention of web developers and security experts.
The initial concern was that Chrome would allow sites to block users from viewing the HTML source code. Fortunately, that’s not what the update does.
The update was added to Chrome to solve a couple of ongoing issues at schools. The first issue involved students viewing the HTML source code to reveal answers to quizzes. The second issue was related to students using the HTML source code to circumvent blocked sites. A representative from a school district in Mundelein, IL, shared a video of how students are getting past their safeguards.
The fix, which is now available in Chrome 98, does not allow sites to block users from viewing the HTML source code. Instead, it’s a patch used for Chrome Enterprise policies, and it’s associated with the URLBlocklist policy that many schools use. The update means that students can no longer exploit viewing the HTML source to get around the school’s policies on ChromeOS and the Chrome browser.
The fix still concerns some privacy, security, and open web activists because they see it as one step away from allowing sites to block users from viewing their HTML source code.