Google has been promoting HTTPS connection as early as 2016 for secured and faster web browsing with time to time warning urging people to adopt the encrypted protocol.
Even back in February 2018, the company warned that starting Chrome 68, all HTTP sites wiil be marked as “not secure”.
However, Google has not explicitly addressed whether mixed secure web pages when opened in Chrome will also trigger a warning.
Google also made it mandatory for all sites to use HTTPS to get indexed in its search engine.
So, what is a Mixed Content?
Generally, it happens when a website or blog is migrated to HTTPS without being edited other resources and both HTTPs and HTTP connection are used to display a web page.
In other words, a mixed content error is triggered when a site is initially loaded over a secure HTTPS connection, but other resources on the site, like images, videos, stylesheets, scripts etc. loads over an insecure HTTP connection.
This is called “mixed content,” because while the initial web request was made over the encrypted HTTPS, the other resources used unsecured HTTP connection.
With mixed content, browsers while show warnings also most of the times block users from accessing the web page altogether.
Users, however, can go the omnibox on the right side to allow the blocked content to load.
This keeps webmaster away from migrating to HTTPS, fearing they may lose traffic as well as revenue for no tangible benefit of supporting encrypted protocol.
More recently now, the Google Chrome team has begun testing to find out a way to fix HTTPS mixed content errors.
In the new experiment, Google is reportedly testing a new setting within the Chrome browser that will automatically change mixed content from HTTP to full HTTPS.
To make this auto-upgrade, Chome will process the scenarios configured when it encounters http content over https, like “if the same content is available over HTTPS, and can it be transparently upgraded, or impact on user experience.”
Explaining the purpose of the experiment, Google notes it wants to see the feasibility of auto-upgrading between “all mixed content or a subset” along with the best fallback strategy for HTTP URLs that break.
Those, who is using Chrome Canary build can start experimenting now by simply enabling a flag by typing the following in their URL bar:
Now, search for "Origin Trials"
Or, simply type
and select enable from the dropdown.
Here is a screenshot of the flag with default Chrome settings:
Google’s experiment will not be the first of its kind. Mozilla tested with a similar mixed content auto-update in Firefox last year.
Interestingly, Mozilla had already attempted s similar mixed content “force-upgrades” user control with no major breakthrough.
Instead, they found “lot of breakage, because the upgraded content does not exist at the new HTTPS address, so the content load fails.”
In the mean time, users of WordPress facing mixed content warnings can use Reall SSL Plugin that solves this issue.
Here are some other fixes for mixed content errors in Chrome:
- Open Chrome
- In the URL bar, type Chrome://net-internals
- Click on “Domain Security Policy” in the side-bar
- Add the domain name to always allow access in http form into the “Add HSTS/PKP domain” section
Type the following command:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" " --allow-running-insecure-content"
chrome.exe --user-data-dir=c:\temp-chrome --disable-web-security --allow-running-insecure-content