Chrome will block HTTP content from loading on secure sites

Christine Fisher
Contributing Writer

In a move to improve user privacy and security, Google is simplifying its browser security settings. In a blog post, the Chrome security team said https:// pages will only be able to load secure (https://) subresources. The change won't happen overnight, but in a series of gradual steps.

According to Google, Chrome users now spend over 90 percent of their browsing time on HTTPS on all major platforms. But it's common for those secure pages to load insecure HTTP subresources. Many of those subresources are blocked by default, but some sneak in as images, audio and video, or "mixed content." That mixed content can put users at risk.

Beginning with Chrome 79, Chrome will work towards blocking all mixed content by default. To smooth the process, it will introduced the change incrementally. In December, Chrome 79 will add a new setting to unblock mixed content on specific sites. In January 2020, Chrome 80 will autoupgrade all mixed audio and video resources to HTTPS, and it will automatically block them if they fail to load over HTTPS. Finally, in February 2020, Chrome 81 will autoupgrade all mixed images to HTTPS, and as with audio and video, block those that don't load over HTTPS.

Once the changes are complete, users won't have to wonder whether the subresources they're viewing are HTTP or HTTPS. And the slow roll out should give developers time to migrate their mixed content to HTTPS. Though, as we've already learned, that "secure" padlock in the address bar, doesn't necessarily mean you're safe.