Google Chrome Announces Rollout Plan for Blocking Mixed Content Beginning January 2020

The Google Security Team has announced a timeline for when Chrome will begin blocking mixed content by default in order to ensure that HTTPS browsing is more secure. Mixed content refers to HTTPS pages that load resources, such as images, videos, stylesheets, and scripts, over HTTP.

The gradual rollout will begin with Chrome 79, which is scheduled for release in December 2019. The browser already blocks mixed scripts and iframes, but this release will add a new setting (that can be toggled on or off) for users to unblock it on a per-site basis.

The next phase of the rollout will progress with Chrome 80, due in January 2020, where mixed audio and video resources will get auto-upgraded to HTTPS. If they fail to load over HTTPS, Chrome will automatically block them. Mixed images will still load but Chrome will display a “Not Secure” warning in the omnibox next to the URL.

The last phase of the rollout is planned for February 2020. Along with the release of Chrome 81, mixed content images will bet auto-upgraded to HTTPS and Chrome will block them if they fail to load.

The Google Security Team reports that Chrome users now spend more than 90% of their browsing time on HTTPS on both desktop and mobile. The plan to begin blocking mixed content is targeted at addressing insecure holes in SSL implementations of sites that have already made the switch to HTTPS.

WordPress site owners have plenty of time to ensure all their resources load over HTTPS. The official plugin directory has several popular plugins that can assist with fixing problems with mixed content. Really Simple SSL, a plugin that is active on more than 3 million sites, has a built-in mixed content scan that shows users what they need to do if they aren’t seeing the green lock in the omnibar yet. It also includes a “mixed content fixer” for the back-end.

Other popular plugins, such as SSL Mixed Content Fix (20k active installs) and SSL Insecure Content Fixer (300k active installs) are focused specifically on fixing these issues and may assist in making other installed plugins compatible with HTTPS. They include tools that will diagnose insecure content and automatically perform basic fixes. The SSL Insecure Content Fixer plugin is also compatible with WordPress multisite and includes a network settings page to set defaults for the entire network.

Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let's discuss your ideas.

8 Comments


  1. This is such great news. However, I believe that those that have a valid SSL certificate on their websites will not be affected?

    Report


  2. I have a valid ssl cert but I still get a warning triangle, it seems something on my home page is not https. I tried really simple ssl but it seems a sledgehammer to crack a nut. There must be a way to find out what ssl doe not like, we are a charity.

    Report


    1. Open browser console, switch to network tab, reload page, watch requests, identify http requests.

      And as a bonus, also identify external resources which might void GDPR if not noted in your privacy policy.

      Report


  3. Will a site that fully loads over HTTP be blocked all together? I think that can be inferred here but want to see what you think?

    Report

Comments are closed.