What Is “Mixed Content,” and Why Is Chrome Blocking It?

Google Chrome already blocks some types of ;mixed content; on the web. Now, Google announced it7;s getting even more serious: Starting in early 2020, Chrome will block all mixed content by default, breaking some existing web pages. Here7;s what that means.

What Is Mixed Content?

There are two types of content here: Content delivered over a secure, encrypted HTTPS connection, and content delivered over an unencrypted HTTP connection. When you use HTTPS, content can7;t be snooped on or tampered with in transit, which is why it7;s critical websites offer encryption when dealing with financial information or private data.

The web is moving to secure HTTPS websites. If you connect to an older HTTP website without encryption, Google Chrome now warns you these websites are ;not secure.; Google now even hides the ;https://; indicator by default, as sites should just be secure by default. And the new HTTP/3 standard will have built-in encryption.

But some web pages can be neither entirely HTTPS nor completely HTTP. Some web pages are delivered over a secure HTTPS connection, but they pull in images, scripts, or other resources via an unencrypted HTTP connection. Such web pages have ;mixed content; because they7;re not fully secure. The web page itself couldn7;t be tampered with, but it may pull in a script, image, or iframe (a web page inside a ;frame; on another web page) that could have been tampered with.

Why Mixed Content Is Bad

Mixed content is confusing. You7;re somehow viewing a web page that7;s both secure and not secure. For example, a usually safe and secure web page could pull in a JavaScript file via HTTP. That script could be modified2;for instance, if you7;re on a public Wi-Fi network that isn7;t trustworthy2;to do many nasty things on the web page, from monitoring your keystrokes to inserting a tracking cookie.

While scripts and iframes2;;active content;2; are the most dangerous, even images, videos, and audio-mixed content could be risky. For example, imagine you7;re viewing a secure stock trading website that pulls in an image of a stock7;s history via HTTP. That image isn7;t secure2;it could have been tampered with in transit to show incorrect details. Also, because it was delivered over an unencrypted connection, anyone snooping on the data in transit likely knows what stock you7;re looking at.

It7;s a bad idea to mix content like this. If a web page is using HTTPS, all its resources should be pulled in via HTTPS as well. It7;s just a historical accident2;the web started with HTTP, and websites gradually upgraded to HTTPS. As they did, they didn7;t always update to use HTTPS resources everywhere. Or, they may have depended on a third-party resource that didn7;t support HTTPS at the time.

Now, with Google and other browser vendors making mixed content more difficult and discouraging, websites will have to clean things up so their web pages will continue working by default.

What Exactly Is Changing in Chrome?

Chrome currently blocks mixed scripts and iframes. In Chrome 80, which will be released to early release channels in January 2020, Chrome will block mixed audio and video resources2;technically, it will try to load them over a secure HTTPS connection instead and block them if they won7;t. Mixed images will load, but Chrome will say the web page is ;Not Secure.; In Chrome 81, Chrome will stop loading mixed images, too. Users can allow the mixed content to load, but it won7;t by default.

It7;s all part of making the web more secure. Google7;s blog post says that it expects the ;Not Secure; message ;will motivate websites to migrate their images to HTTPS.;

How Chrome Will Let You Unblock Mixed Content

Chrome already blocks some types of mixed content with a shield icon in the address bar and an ;Insecure content blocked; message. You can see how it works on this mixed content example page created by Google. For example, to unblock a mixed content script, you have to click a link named ;Load unsafe scripts.;

If you agree to run the mixed content, the web page changes from Secure to Not Secure.

Google will be simplifying this in Chrome 79, which will be released sometime in December 2019. You7;ll have to click the lock icon to the left of the page7;s address, click ;Site Settings,; and then unblock mixed content for that site.

The option becomes more buried, but that7;s the point: Most people should never need to enable mixed content for a site. Website developers need to fix their websites to deliver resources securely. This option will ensure anyone using an older business site can continue accessing it, even while mixed content is disabled for everyone.

If you need a site that requires this, don7;t worry: Google hasn7;t announced a date when it7;s removing the option to load mixed content in Chrome. Google7;s web browser will be blocking all mixed content by default but will continue offering an option to enable mixed content for the foreseeable future.

What About Other Browsers?

Chrome isn7;t alone. Firefox blocks mixed content like scripts and iframes, too, and requires you click a ;Disable protection for now; setting to reenable it. We expect Mozilla to follow in Google7;s footsteps. Apple7;s Safari is aggressive about blocking mixed content, too.

And, of course, Microsoft7;s new Edge browser will be based on the Chromium code that forms the basis for Google Chrome and will behave like Chrome.