Chrome will automatically block http elements on websites

Google Chrome will no longer load HTTP elements on otherwise encrypted pages. On websites with https connections that also contain unencrypted elements, the latter are no longer simply loaded.

Such “mixed content” will be blocked in Chrome in the future, Google writes in a blog post. The browser then ensures that https websites can only load https content. Google wants to improve the privacy and security of users with this. According to the company, internet users now spend more than 90 percent of their time on an encrypted connection.

Chrome already blocks such mixed content in certain cases at this point. That happens when it comes to unencrypted scripts or iframes. However, multimedia content such as images, audio or video will still be played, even if they are not encrypted with https. As a result, attackers can in principle use such content to send malware or tracking cookies to visitors. In addition, Google says, such mixed content creates confusing signals for users. They see in their URL bar that a site is encrypted with SSL, but that ‘parts are unsafe.’

The change does not happen overnight. In Chrome 79, there will be a new setting that allows users to manually turn mixed content on or off. It is in the same menu as where users can find more information about the security of a site. In Chrome 80, audio and video elements are automatically sent via https, or are blocked if that fails. When using unencrypted images, users are notified that the entire website is unsafe. In Chrome 81, which will be released in February next year, all insecure elements are automatically blocked.