Chromium 14 Canary Release v14.0.785.0 Now Blocks "Mixed Scripting" Vulnerabilities

As of the first Chromium 14 canary release (14.0.785.0), Google trialing blocking "mixed scripting" conditions by default. And, also added an infobar that shows when a script is being blocked," Google revealed.:"As a user, you can choose to reload the website without the block applied. Ideally, in the longer term, the infobar willn't have the […]

As of the first Chromium 14 canary release (14.0.785.0), Google trialing blocking "mixed scripting" conditions by default. And, also added an infobar that shows when a script is being blocked," Google revealed.:

"As a user, you can choose to reload the website without the block applied. Ideally, in the longer term, the infobar willn't have the option for the user to bypass it. Our experience shows that some subset of users will attempt to "click through" even the scariest of warnings -- despite the hazards that can follow," Google explains.

So, what's "mixed scripting" vulnerability?:

A "mixed scripting" vul is caused when a page served over HTTPS loads a script, CSS, or plug-in resource over HTTP. A man-in-the-middle attacker (same as wireless network) can typically intercept the HTTP resource load and gain full access to website loading the resource. It's often as bad as if the web page hadn't used HTTPS at all.

A less severe but similar problem -- "mixed display" vul -- is caused when a page served over HTTPS loads an image, iFrame, or font over HTTP. A man-in-the-middle attacker can again intercept the HTTP resource load but normally can only affect the appearance of the page," Google explained.

Browsers have long used different indicators, modal dialogs, block options or even click-throughs to indicate these conditions to users. If a page on your website has a mixed scripting issue, Chromium will currently indicate it like this in the URL bar:

And for a mixed display issue:

If any of the HTTPS pages on your website show the cross-out red https, there're good reasons to investigate promptly:

  • Your website won't work as well in other modern browsers (such as IE9 or FF4) due to click-throughs and ugly modal dialogs.
  • You may've a security vulnerability that could compromise the entire HTTPS connection.

Here's what Google advises to users:

If Chromium's UI shows any mixed content issues on your site, you can try to use a couple of developer tools to locate the problem. A useful message is typically logged to the JavaScript console (Menu -> Tools -> JavaScript Console):

You can also reload the page with "Network" tab active and look for requests that were issued over the http:// protocol. It's worth noting that the entire origin is poisoned when mixed scripting occurs in it, so you'll want to look at the console for all tabs that reference the indicated origin. To clear the error, all tabs that reference the poisoned origin need to be closed. For particularly tough cases where it's not clear how the origin became poisoned, you can also enable debugging to the command-line console to see the relevant warning message.

The latest Chromium 13 dev channel build (13.0.782.10) has a command line flag: --no-running-insecure-content. We recommend that website owners and advanced users run with this flag, so we can all help mop up errant sites. (We also have the flag --no-displaying-insecure-content for the less serious class of mixed content issues; there are no plans to block this by default in Chromium 14).

The Chromium 14 release will come with an inverse flag: --allow-running-insecure-content, as a convenience for users and admins who've internal applications without immediate fixes for these errors.

[Source:Online Security blog]