6 de noviembre de 2019

Google Chrome will block mixed content in the near future

Google Chrome will soon block all mixed content by default. Google revealed a plan in October that details how the company's Chrome browser will handle mixed content in the next release versions.

Mixed content refers to sites that load via HTTPS but use HTTP resources. A simple example is a site that loads an image via HTTP while the page itself is accessed via HTTPS. Chrome blocks scripts and iframes by default if they are loaded via HTTP on HTTPS sites but allows static content such as images to be displayed.

The behavior threatens the privacy and security of users according to Google as an "attacker could tamper with a mixed image of a stock chart to mislead investors, or inject a tracking cookie into a mixed resource load".

Starting with Chrome 79 Stable, expected to be released in December 2019, Chrome will gradually upgrade or block mixed content that it encounters.

insecure content block

The company announced the following timeline:

  • Chrome 79 -- New option in Site Settings to unblock mixed content in Google Chrome for specific sites. Just click on the icon in front of the address and select Site Settings from the interface that opens; Chrome loads the Site Settings for the site in question. Locate Insecure Content to change it to Ask or Allow for that particular site.
  • Chrome 80 -- Audio and Video resources will be upgraded to HTTPS automatically if possible. If that is not possible, they will be blocked.
  • Chrome 80 -- Mixed images will still load but Chrome displays a "not secure" label in the address bar.
  • Chrome 81 -- Mixed images will be upgraded to HTTPS if possible or blocked if that is not possible.

Chrome users may use the insecure content site setting to allow blocked resources on a particular site.

Mozilla, maker of Firefox, implemented a new preference in Firefox 60 to allow mixed content in the browser. It is turned off by default, however.

The impact

The change has an impact on image, video, and audio resources that are loaded via HTTP currently on HTTPS sites. Chrome attempts to upgrade these resources to HTTPS automatically but that will work only if the site the resources are loaded from supports it (meaning it supports HTTP and HTTPS). If that is not the case, the resources won't be loaded in Chrome 80 (video/audio) and Chrome 81 (images).

Chrome gets a new option in version 79 to allow these resources from being loaded if blocked by the browser; this is done to make sure that content does not break on certain sites that still have not been upgraded to HTTPS fully.

Now You: Do you encounter many HTTP / mixed content sites in your day to day browsing?

Thank you for being a Ghacks reader. The post Google Chrome will block mixed content in the near future appeared first on gHacks Technology News.

☛ El artículo completo original de Martin Brinkmann lo puedes ver aquí.

No hay comentarios.:

Publicar un comentario