Starting in December 2019, Google Chrome will start blocking insecure content on web pages. Insecure content, also known as mixed content, is content that loads on an HTTPS website even if it is non-HTTPS.

If you’re a website owner, then this is the best time to check for errors made by mixed content before Chrome begins to block it. It is also the best time to fix all of them because if you fail to fix and verify any errors on your website, then you will lose website traffic, will have a poor user experience, and worse, you will lose customers and sales. Read on to know some tips we’ve listed so you’re prepared for the upcoming mixed content blocking in December.

 

What is Mixed Content?

When a non-HTTPS content loads on an HTTPS website, then it is called insecure content or mixed content. There are two types: the first one is content delivered over a connection with an unencrypted HTTP and the second type is delivered over a connection with an encrypted and secure HTTPS. When the content is delivered over a connection with HTTPS, it can’t be tampered or snooped by attackers because the connection is secure. That is why it is important that your website has encryption, especially if you’re dealing with private data or files and financial information.

Using an SSL certificate, websites are represented by HTTPS so that content can be delivered. Other than that, this certificate also secures websites by data transfer encryption between your browser and the website. WPBeginner, Google, WordPress.org, and Microsoft are some of the most popular websites that use HTTPS as a standard protocol for their websites.

Secure HTTPS is recommended for all websites nowadays as it’s also being required by the web. Unlike before, Google Chrome will now notify you if you’re browsing on a website without encryption. Chrome will say that these websites with older HTTP are not secure. Other than that, Google is now hiding the https:// indicator on the URL bar by default and they already added built-in encryption in it because they believe that websites should always be secured by default.

However, there are some web pages being delivered over a connection with secure HTTPS but are pulling scripts and images through a connection with an unencrypted HTTP. That is why most web pages are not completely HTTP or not HTTPS entirely. These web pages contain insecure content or mixed content, meaning they are not secure. Yes, the web page could not be tampered, but, the iframe, images, and scripts that it pulls may have a tamper.

 

Why Does Chrome Want to Block It?

As of now, Google Chrome blocks mixed content that comes from iFrame and JavaScript resources. But, in December 2019, all mixed content, including cookies, images, video, audio, and other web resources, will be blocked by Google as they want to make the web pages safe to use.

Even if you’re on a secure HTTPS web page, your website can still be penetrated by hackers if there’s an insecure HTTP file inside it. Hackers will definitely hijack it, manipulate users, and install malware on your website, which will jeopardize the safety of your website visitors and website security. Other than that, Google Chrome will not be able to determine whether your web page is insecure or secure, which means it will create a bad user experience on your website.

 

Is Mixed Content Bad?

Yes, mixed content is quite bad because somehow, you’re browsing on a website page that is insecure and secure at the same time. It’s a little confusing.  For instance, web pages that are safe and secure usually pull script files from Javascript through HTTP connection. When you connect in a public Wifi network, this script might get modified by hackers. They can insert a tracking cookie in it or monitor the keys you’re pressing on your computer or smartphone.

The most dangerous content in web pages are iframes and scripts as they are considered as active content. But, nowadays, even audio, images, and video-mixed content can be used by hackers to get your personal information and files. For instance, an image has been pulled in via an HTTP connection while you are viewing the secure website of your bank. That image might be tampered and not secure. Other than that, hackers who are looking at that image in transit will most likely know what bank and what information you are typing since it was delivered via a connection that is unencrypted.

All resources that should be pulled in a secure HTTPS web page should be those that transit via HTTPS, too because mixing insecure content with a secure web page is a bad idea. HTTP websites are now upgrading their system and transforming it into HTTPS. However, the HTTPS resources and content they are using are still the content they’ve used in the past. Other than that, they might be using a third-party resource that only supports HTTP and not a secure HTTPS.

Google is not the only one who’s making a move. Other browsers are in the lookout for mixed content to keep the web pages secure. It will be more difficult for hackers to penetrate websites as they are blocking mixed content. However, website owners should also do their job. They should upgrade to HTTPS and clean their website so that their website won’t lose website traffic, will have a poor user experience, and worse, will lose customers and sales.

 

What if a Website has Mixed Content?

As mentioned earlier, Chrome will be blocking all mixed content starting in December 2019. This mixed content includes videos, images, audios, and other web resources. In the spawn of the next three Google Chrome releases, three steps will be implemented in blocking mixed content on web pages.

  • Step 1. The Site Settings menu of Google Chrome will have a new settings option, starting from December 2019. If Google Chrome blocks content from iframe and JavaScript resources, users will be able to unblock them using the new settings option. Google Chrome will serve mixed content on a website where a user opts out. But the insecure icon will be placed in it instead of the padlock icon.
  • Step 2. The URLs of HTTP audio and video files will be upgraded automatically to HTTPS by Google Chrome, starting in January 2020. Those files will be blocked automatically if Google fails to load them via HTTPS connection. If websites are serving HTTP images, then it will still load. However, the padlock icon will be removed and replaced with the Note Secure icon.
  • Step 3. Chrome 81, which is the update for February 2020, will upgrade HTTP images automatically to HTTPS. These images will be blocked automatically, just like audio and video files, if they fail to load in an HTTPS connection.

You will see a Not Secure icon on the address bar if your website has mixed content resources that can’t be upgraded to HTTPS. If this happens on your website, you will lose website traffic, will have a poor user experience, and worse, you will lose customers and sales. But, don’t worry, you can easily fix mixed content errors on your website.

 

You Can Unblock Mixed Content

Some types of mixed content from iframe and JavaScript resources are already being blocked by Chrome. You will know that these contents have been blocked if there’s a shield icon appearing on your browser’s address bar. There will also be an Insecure Content Blocked message that will pop-up if you navigate to the shield icon.

Your web pages will have a Not Secure icon on top of the address bar if you agree to run all mixed content. You will set this option once the Chrome 79 launches in December 2019. This will be added on the Site Settings menu, allowing users to unblock mixed content. You have to remember that running mixed content on your web page will tell users that viewing your website is not secure, which is risky because you will lose website traffic, will have a poor user experience, and worse, lose customers and sales.

So, why unblock mixed content? You don’t have to unblock and run these types of content as it can harm your users and your business. What you need to do is fix your websites so the resources they deliver are secure and safe from hackers. You have to upgrade your HTTP website and all its contents to HTTPS so you and your users will be able to access the site securely.

Firefox also starts to block mixed content from resources like iframes and Javascript, too. They are giving an option to re-enable these mixed contents by clicking the Disable Protection For Now option. Other than that, Safari and Microsoft Edge are also on the lookout for these harmful and insecure content to keep users and website owners safe from hackers.