Can I configure Chrome to block insecure content on mixed pages
In Chrome I've noticed that I occasionally get mixed-content warnings in the url bar, eg:
Can I configure Chrome to block mixed content, not just warn about it (or, if I have accidentally dismissed a warning before - reset the default).
The reasoning being - this tells me nicely, after the bad thing has happened. I'd rather the bad thing was blocked - after which, by all means warn me.
Details:
I'm using Gmail*, so it's not just the little sites, but I've seen it on other websites.
I get no pop-ups or dialogues asking if I want to display the insecure content.
Clicking on the padlock to get the details shows the following message, which implies that the insecure resources were displayed and not blocked:
Your connection to mail.google.com is encrypted with 128-bit
encryption. However, this page includes other resources which are not
secure. These resources can be viewed by others while in transit, and
can be modified by an attacker to change the look of the page.
I'm using Chrome 30.0.1599.101 on OSX, but I've seen this previously in older versions.
*Strictly speaking I'm using google apps for domains, ie, my current employer use gmail for their domain's email. Checking the javascript log (instructions)shows that the insecure content was due to a logo of my employer downloaded via an insecure connection. Getting them to fix that would also help of course - but that's outside the scope of this question.
google-chrome security
add a comment |
In Chrome I've noticed that I occasionally get mixed-content warnings in the url bar, eg:
Can I configure Chrome to block mixed content, not just warn about it (or, if I have accidentally dismissed a warning before - reset the default).
The reasoning being - this tells me nicely, after the bad thing has happened. I'd rather the bad thing was blocked - after which, by all means warn me.
Details:
I'm using Gmail*, so it's not just the little sites, but I've seen it on other websites.
I get no pop-ups or dialogues asking if I want to display the insecure content.
Clicking on the padlock to get the details shows the following message, which implies that the insecure resources were displayed and not blocked:
Your connection to mail.google.com is encrypted with 128-bit
encryption. However, this page includes other resources which are not
secure. These resources can be viewed by others while in transit, and
can be modified by an attacker to change the look of the page.
I'm using Chrome 30.0.1599.101 on OSX, but I've seen this previously in older versions.
*Strictly speaking I'm using google apps for domains, ie, my current employer use gmail for their domain's email. Checking the javascript log (instructions)shows that the insecure content was due to a logo of my employer downloaded via an insecure connection. Getting them to fix that would also help of course - but that's outside the scope of this question.
google-chrome security
Are you essentially asking whether Chrome has settings equivalent to Firefox'ssecurity.mixed_content.block_display_content
andsecurity.mixed_content.upgrade_display_content
configuration options?
– sampablokuper
Feb 6 at 16:15
add a comment |
In Chrome I've noticed that I occasionally get mixed-content warnings in the url bar, eg:
Can I configure Chrome to block mixed content, not just warn about it (or, if I have accidentally dismissed a warning before - reset the default).
The reasoning being - this tells me nicely, after the bad thing has happened. I'd rather the bad thing was blocked - after which, by all means warn me.
Details:
I'm using Gmail*, so it's not just the little sites, but I've seen it on other websites.
I get no pop-ups or dialogues asking if I want to display the insecure content.
Clicking on the padlock to get the details shows the following message, which implies that the insecure resources were displayed and not blocked:
Your connection to mail.google.com is encrypted with 128-bit
encryption. However, this page includes other resources which are not
secure. These resources can be viewed by others while in transit, and
can be modified by an attacker to change the look of the page.
I'm using Chrome 30.0.1599.101 on OSX, but I've seen this previously in older versions.
*Strictly speaking I'm using google apps for domains, ie, my current employer use gmail for their domain's email. Checking the javascript log (instructions)shows that the insecure content was due to a logo of my employer downloaded via an insecure connection. Getting them to fix that would also help of course - but that's outside the scope of this question.
google-chrome security
In Chrome I've noticed that I occasionally get mixed-content warnings in the url bar, eg:
Can I configure Chrome to block mixed content, not just warn about it (or, if I have accidentally dismissed a warning before - reset the default).
The reasoning being - this tells me nicely, after the bad thing has happened. I'd rather the bad thing was blocked - after which, by all means warn me.
Details:
I'm using Gmail*, so it's not just the little sites, but I've seen it on other websites.
I get no pop-ups or dialogues asking if I want to display the insecure content.
Clicking on the padlock to get the details shows the following message, which implies that the insecure resources were displayed and not blocked:
Your connection to mail.google.com is encrypted with 128-bit
encryption. However, this page includes other resources which are not
secure. These resources can be viewed by others while in transit, and
can be modified by an attacker to change the look of the page.
I'm using Chrome 30.0.1599.101 on OSX, but I've seen this previously in older versions.
*Strictly speaking I'm using google apps for domains, ie, my current employer use gmail for their domain's email. Checking the javascript log (instructions)shows that the insecure content was due to a logo of my employer downloaded via an insecure connection. Getting them to fix that would also help of course - but that's outside the scope of this question.
google-chrome security
google-chrome security
asked Nov 6 '13 at 18:02
Andrew MAndrew M
156112
156112
Are you essentially asking whether Chrome has settings equivalent to Firefox'ssecurity.mixed_content.block_display_content
andsecurity.mixed_content.upgrade_display_content
configuration options?
– sampablokuper
Feb 6 at 16:15
add a comment |
Are you essentially asking whether Chrome has settings equivalent to Firefox'ssecurity.mixed_content.block_display_content
andsecurity.mixed_content.upgrade_display_content
configuration options?
– sampablokuper
Feb 6 at 16:15
Are you essentially asking whether Chrome has settings equivalent to Firefox's
security.mixed_content.block_display_content
and security.mixed_content.upgrade_display_content
configuration options?– sampablokuper
Feb 6 at 16:15
Are you essentially asking whether Chrome has settings equivalent to Firefox's
security.mixed_content.block_display_content
and security.mixed_content.upgrade_display_content
configuration options?– sampablokuper
Feb 6 at 16:15
add a comment |
2 Answers
2
active
oldest
votes
Chrome blocks some insecure high-risk content (javascript) and allows other lower risk content (images)
Visit this strange ie mixed content test page, and look at the javascript console. You can see that images are displayed (with warnings in the console) but insecure scripts are blocked.
This is ok, but not great. A malicious man-in-the-middle could still track a user in this way. I'd still like the option to block all of the insecure content.
Firefox 23+ also has this feature (verified by me on the test page above in Firefox 24) in that it blocks the javascript (which firefox call "active content", but not the images "passive content").
With respect to Gmail specifically, I found this life hacker article on gmail security icons. which explained that I probably downloaded external images into an email... which triggers the warning, and because Gmail is a single page app, and doesn't normally reload, the yellow padlock never goes away. Refresh the page, and it goes green again.
add a comment |
Chrome and Chromium have (or at least, have had, at times in their history) some relevant command-line flags for this:
--no-displaying-insecure-content
reportedly overrides the fact that "By default, an https page can load images, fonts or frames from an http page."
--enable-strict-mixed-content-checking
reportedly "Blocks all insecure requests from secure contexts, and prevents the user from overriding that decision," which sounds like what you are after.
--enable-potentially-annoying-security-features
reportedly "Enables a number of potentially annoying security features (strict mixed content mode, powerful feature restrictions, etc.)," which sounds as though it is equivalent to using--enable-strict-mixed-content-checking
and some other, unspecified flags.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f670499%2fcan-i-configure-chrome-to-block-insecure-content-on-mixed-pages%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Chrome blocks some insecure high-risk content (javascript) and allows other lower risk content (images)
Visit this strange ie mixed content test page, and look at the javascript console. You can see that images are displayed (with warnings in the console) but insecure scripts are blocked.
This is ok, but not great. A malicious man-in-the-middle could still track a user in this way. I'd still like the option to block all of the insecure content.
Firefox 23+ also has this feature (verified by me on the test page above in Firefox 24) in that it blocks the javascript (which firefox call "active content", but not the images "passive content").
With respect to Gmail specifically, I found this life hacker article on gmail security icons. which explained that I probably downloaded external images into an email... which triggers the warning, and because Gmail is a single page app, and doesn't normally reload, the yellow padlock never goes away. Refresh the page, and it goes green again.
add a comment |
Chrome blocks some insecure high-risk content (javascript) and allows other lower risk content (images)
Visit this strange ie mixed content test page, and look at the javascript console. You can see that images are displayed (with warnings in the console) but insecure scripts are blocked.
This is ok, but not great. A malicious man-in-the-middle could still track a user in this way. I'd still like the option to block all of the insecure content.
Firefox 23+ also has this feature (verified by me on the test page above in Firefox 24) in that it blocks the javascript (which firefox call "active content", but not the images "passive content").
With respect to Gmail specifically, I found this life hacker article on gmail security icons. which explained that I probably downloaded external images into an email... which triggers the warning, and because Gmail is a single page app, and doesn't normally reload, the yellow padlock never goes away. Refresh the page, and it goes green again.
add a comment |
Chrome blocks some insecure high-risk content (javascript) and allows other lower risk content (images)
Visit this strange ie mixed content test page, and look at the javascript console. You can see that images are displayed (with warnings in the console) but insecure scripts are blocked.
This is ok, but not great. A malicious man-in-the-middle could still track a user in this way. I'd still like the option to block all of the insecure content.
Firefox 23+ also has this feature (verified by me on the test page above in Firefox 24) in that it blocks the javascript (which firefox call "active content", but not the images "passive content").
With respect to Gmail specifically, I found this life hacker article on gmail security icons. which explained that I probably downloaded external images into an email... which triggers the warning, and because Gmail is a single page app, and doesn't normally reload, the yellow padlock never goes away. Refresh the page, and it goes green again.
Chrome blocks some insecure high-risk content (javascript) and allows other lower risk content (images)
Visit this strange ie mixed content test page, and look at the javascript console. You can see that images are displayed (with warnings in the console) but insecure scripts are blocked.
This is ok, but not great. A malicious man-in-the-middle could still track a user in this way. I'd still like the option to block all of the insecure content.
Firefox 23+ also has this feature (verified by me on the test page above in Firefox 24) in that it blocks the javascript (which firefox call "active content", but not the images "passive content").
With respect to Gmail specifically, I found this life hacker article on gmail security icons. which explained that I probably downloaded external images into an email... which triggers the warning, and because Gmail is a single page app, and doesn't normally reload, the yellow padlock never goes away. Refresh the page, and it goes green again.
answered Nov 6 '13 at 18:30
Andrew MAndrew M
156112
156112
add a comment |
add a comment |
Chrome and Chromium have (or at least, have had, at times in their history) some relevant command-line flags for this:
--no-displaying-insecure-content
reportedly overrides the fact that "By default, an https page can load images, fonts or frames from an http page."
--enable-strict-mixed-content-checking
reportedly "Blocks all insecure requests from secure contexts, and prevents the user from overriding that decision," which sounds like what you are after.
--enable-potentially-annoying-security-features
reportedly "Enables a number of potentially annoying security features (strict mixed content mode, powerful feature restrictions, etc.)," which sounds as though it is equivalent to using--enable-strict-mixed-content-checking
and some other, unspecified flags.
add a comment |
Chrome and Chromium have (or at least, have had, at times in their history) some relevant command-line flags for this:
--no-displaying-insecure-content
reportedly overrides the fact that "By default, an https page can load images, fonts or frames from an http page."
--enable-strict-mixed-content-checking
reportedly "Blocks all insecure requests from secure contexts, and prevents the user from overriding that decision," which sounds like what you are after.
--enable-potentially-annoying-security-features
reportedly "Enables a number of potentially annoying security features (strict mixed content mode, powerful feature restrictions, etc.)," which sounds as though it is equivalent to using--enable-strict-mixed-content-checking
and some other, unspecified flags.
add a comment |
Chrome and Chromium have (or at least, have had, at times in their history) some relevant command-line flags for this:
--no-displaying-insecure-content
reportedly overrides the fact that "By default, an https page can load images, fonts or frames from an http page."
--enable-strict-mixed-content-checking
reportedly "Blocks all insecure requests from secure contexts, and prevents the user from overriding that decision," which sounds like what you are after.
--enable-potentially-annoying-security-features
reportedly "Enables a number of potentially annoying security features (strict mixed content mode, powerful feature restrictions, etc.)," which sounds as though it is equivalent to using--enable-strict-mixed-content-checking
and some other, unspecified flags.
Chrome and Chromium have (or at least, have had, at times in their history) some relevant command-line flags for this:
--no-displaying-insecure-content
reportedly overrides the fact that "By default, an https page can load images, fonts or frames from an http page."
--enable-strict-mixed-content-checking
reportedly "Blocks all insecure requests from secure contexts, and prevents the user from overriding that decision," which sounds like what you are after.
--enable-potentially-annoying-security-features
reportedly "Enables a number of potentially annoying security features (strict mixed content mode, powerful feature restrictions, etc.)," which sounds as though it is equivalent to using--enable-strict-mixed-content-checking
and some other, unspecified flags.
answered Feb 6 at 16:25
sampablokupersampablokuper
1,21941733
1,21941733
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f670499%2fcan-i-configure-chrome-to-block-insecure-content-on-mixed-pages%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Are you essentially asking whether Chrome has settings equivalent to Firefox's
security.mixed_content.block_display_content
andsecurity.mixed_content.upgrade_display_content
configuration options?– sampablokuper
Feb 6 at 16:15