Google Chrome Now Blocks Insecure Scripts on HTTPS
By on June 25th, 2011

JavaScript is a scripting language which is used to provide a lot of functionalities to users without them noticing it. It also powers some of the best known web services out there including and more. However, that a faulty or rogue JavaScript can also cause havoc on your system?

Well, how would you know that unless your browser told it? However, not all browsers tell you when a JavaScript is insecure, but you can count as your friend in this case (at-least the dev version on HTTPS), because it has started to block Insecure scripts while you are browsing a website on a HTTPS connection.

Chrome Blocks Insecure Scripts

As you can see from the above screenshot, Google Chrome now shows you a message saying that it has blocked an insecure script from running on the browser, whilst proving you an option to "Load Anyway". This is done to protect users from running harmful scripts on their system.

This behavior in Google Chrome is similar to them blocking users from accessing harmful websites that they have in their database an will be useful in protecting users.

The help page on this topic shows what Google is doing exactly:

When a website is secured via HTTPS, the web site designer must also ensure that all of the scripts used by the page will be delivered in the same secure manner as the main page itself. The same requirements also apply to the plugins and external CSS stylesheets used by the page, as these have the same considerations as javascript.

When this is not the case (sometimes called a mixed scriptsituation), visitors to the site run the risk that attackers can interfere with the website and change the script so as to serve their own purposes.

Traditionally, browsers have run the mixed script, genuine or not, and notified you after-the-fact by a broken lock icon, a dialog box, or a red https:// in the location bar (in the case of Google Chrome). The problem with this approach is that by the time the script has run, it is already too late, because the script has had access to all of the data on the page.

Google Chrome now protects you by refusing up-front to run any script on a secure page unless it is also being delivered over HTTPS. Data on the page remains secure even in the presence of an attacker, but the downside is that this may cause pages to display improperly. You may wish to let the website owner know that their site is not properly secured. (Note that a poorly-written extension can also sometimes cause this).

You can bypass this protection by clicking Allow Anyway, in which case Google Chrome will refresh the page and load the insecure content. You will then see an https:// displayed in red in the location bar indicating that the page could not be secured.

The above description says that Chrome is only blocking scripts which are served through non-HTTPS on a HTTPS connection. Hopefully, the will improve this behavior and also display the same message on the browser when a known rogue script is running on a website.

Tags: , , ,
Author: Keith Dsouza Google Profile for Keith Dsouza
I am the editor-in-chief and owner of Techie Buzz. I love coding and have contributed to several open source projects in the past. You can know more about me and my projects by visiting my Personal Website. I am also a social networking enthusiast and can be found active on twitter, you can follow Keith on twitter @keithdsouza. You can click on my name to visit my Google+ profile.

Keith Dsouza has written and can be contacted at keith@techie-buzz.com.

Leave a Reply

Name (required)

Website (optional)

 
    Warning: call_user_func() expects parameter 1 to be a valid callback, function 'advanced_comment' not found or invalid function name in /home/keith/techie-buzz.com/htdocs/wp-includes/comment-template.php on line 1694
 
Copyright 2006-2012 Techie Buzz. All Rights Reserved. Our content may not be reproduced on other websites. Content Delivery by MaxCDN