Google Chrome will soon block insecure content in HTTPS pages

As the company with the biggest presence and influence on the Internet, Google has taken it upon itself to make the Web a safer place. From misbehaving ads to insecure pages, Google has used its Chrome web browser to steer developers and administrators towards more industey best practices. Google boasts that Chrome users spend 90% of their time on secure HTTPS pages but soon it will be tightening the noose on remaining insecure content by blocking them completely starting next year.

Google has been pushing for web page owners and developers to move over to secure and encrypted HTTP, a.k.a. HTTPS, by clearly marking insecure web pages in Chrome. It serves both as a warning for users as well as something like a shame campaign and it seems to have at least worked. Unfortunately, that HTTPS mark wasn't exactly an accurate badge as even HTTPS pages may actually include insecure content.

These are called mixed content where a secure web page may, intentionally or not, load subresources insecurely via plain HTTP. These subresources include not just images and videos but even scripts and iframes or embedded web pages. In other words, even secure web pages may still put users at risk via those pieces of content that may be loaded externally or through other channels.

Google will fix that situation by blocking mixed content but the transition will be gradual to give both users and developers time to adjust. Starting with Chrome version 80, which will be released to the development channel in January 2020, will mark even HTTPS pages with mixed content as Not Secure. It will also attempt to autoupgrade those mixed content to HTTPS but if it fails, Chrome will just block them outright. That will mostly happen by Chrome 81 in February 2020.

That will naturally break the browsing experience for some, which is why Google is giving developers a heads up to make the necessary changes. When all else fails, Chrome 79 coming this December will let users unblock mixed content on a per-site basis. At their own risk, of course.