Starting December 2019, Google Chrome will begin blocking pages with mixed content which could have a major impact on your site. Many site owners see the green padlock in the URL bar at the top of their home page, and they assume that all content on their site is loading securely, However, this is not always the case. Each individual page on a site is indexed by Google, so even if a single image on a page loads over http:// rather than https://, Google Chrome will flag that page and display a warning to the user about the page’s security.
While users will still be able to move past the warning to view your page, it may be enough to deter some individuals. If you’re proactive, you can prepare your site for these changes and prevent any mixed content pages from being blocked. Keep reading to learn more about what mixed content is and how to keep your pages safe.
What is Mixed Content?
Mixed content refers to when a page loads securely over https:// but resources (image, link, CSS, etc) on the page do not load securely. Mixed content often occurs when a content author quickly copies and pastes a link to another site while writing a blog post and doesn’t realize the linked site loads over http://. Mixed content can include anything from links, images, iframes, scripts, stylesheets, and more.
Even though a site may be “secure” in that the pages load over https://, addressing pages with mixed content is critical because the http:// protocol can open the door for attackers to hijack the entire page and threaten both the site and end user’s security and privacy.
Why the Change, and What Will I See?
In recent years, Google Chrome has flagged sites missing SSL certificates and encouraged forcing https:// URLs as a security precaution to protect end user information. Since then, pages that load over https:// (rather than http://) have displayed content the same regardless of any mixed content found on the page. In these cases, however, pages with mixed content would not display the secure green padlock icon in the URL bar.
In an effort to further enhance site and user security, Google is cracking down on any pages that contain mixed content. Not only will the secure green padlock be missing from these pages, but Google will also start displaying a “Not Secure” message next to the URL.
It’s not just the URL bar that will be affected in these upcoming changes, though. In addition to displaying “Not Secure” next to the URL, Google Chrome will begin blocking mixed content resources from loading on pages entirely, meaning that certain images, iframes, fonts, etc. may not display on the page at all. Instead you may see broken image links, different fonts, broken sections where iframes can’t load, etc.
All hope may not be lost, though. In a series of releases, Chrome will auto-upgrade mixed content resources to attempt to load over https://. This means that if you have, for example, an iframe hardcoded over http://, but the iframe CAN be loaded over https://, it will still display. If the iframe cannot be loaded over https://, it will not display at all. Read the full announcement from Chrome for more details.
Can I Scan My Site For Mixed Content?
Yes! Just use JitBit’s handy SSL Check Tool to find a list of pages on your site containing mixed content. The tool itself won’t tell you which resources are being flagged as mixed content, but once you arrive at the flagged page, right-click anywhere on the page and click “Inspect.” Doing so will open the Chrome inspector tool. Within the inspector tool, you should see a “Console” tab. Click this tab, and you’ll see where Chrome has flagged any resources as mixed content.
What Do I Do to Keep All My Pages Safe?
So you’ve scanned your site and found you have some pages with mixed content... You might be tempted to disregard Chrome’s mixed content update thinking that your website loads over https://, so you don’t need to stress about individual pages. However, you’re putting both your site and users at a serious risk if you do not take necessary action. When users arrive on a website that says “Not Secure,” they will immediately question your business’s credibility. They’ll view this notification as a red flag, and they’ll be more likely to leave your website to go to one loads securely.
Google Chrome will still offer end users a setting that can be enabled or disabled per-site to unblock mixed content. However, depending on your demographic, your users may not know to look for this setting, or they may not be willing to take the time to update their settings in favor of a competitor’s site which loads all assets securely.
Fortunately, mixed content warnings are often simple to fix. Simply changing hardcoded http:// URLs to https:// does the trick as long as the end resource can be loaded securely. In cases where the end resource cannot be loaded over https://, the solution may be more technical - that’s where we can come in to help. Denverdata Web can help you evaluate the nature of mixed content on your site, take appropriate action to update all mixed content so that it loads securely, and prevent users from leaving your site prematurely.