Can I configure Chrome to block insecure content on mixed pages












2















In Chrome I've noticed that I occasionally get mixed-content warnings in the url bar, eg:



gmail mixed content ssl warning



Can I configure Chrome to block mixed content, not just warn about it (or, if I have accidentally dismissed a warning before - reset the default).



The reasoning being - this tells me nicely, after the bad thing has happened. I'd rather the bad thing was blocked - after which, by all means warn me.



Details:



I'm using Gmail*, so it's not just the little sites, but I've seen it on other websites.



I get no pop-ups or dialogues asking if I want to display the insecure content.



Clicking on the padlock to get the details shows the following message, which implies that the insecure resources were displayed and not blocked:




Your connection to mail.google.com is encrypted with 128-bit
encryption. However, this page includes other resources which are not
secure. These resources can be viewed by others while in transit, and
can be modified by an attacker to change the look of the page.




I'm using Chrome 30.0.1599.101 on OSX, but I've seen this previously in older versions.



*Strictly speaking I'm using google apps for domains, ie, my current employer use gmail for their domain's email. Checking the javascript log (instructions)shows that the insecure content was due to a logo of my employer downloaded via an insecure connection. Getting them to fix that would also help of course - but that's outside the scope of this question.










share|improve this question























  • Are you essentially asking whether Chrome has settings equivalent to Firefox's security.mixed_content.block_display_content and security.mixed_content.upgrade_display_content configuration options?

    – sampablokuper
    Feb 6 at 16:15
















2















In Chrome I've noticed that I occasionally get mixed-content warnings in the url bar, eg:



gmail mixed content ssl warning



Can I configure Chrome to block mixed content, not just warn about it (or, if I have accidentally dismissed a warning before - reset the default).



The reasoning being - this tells me nicely, after the bad thing has happened. I'd rather the bad thing was blocked - after which, by all means warn me.



Details:



I'm using Gmail*, so it's not just the little sites, but I've seen it on other websites.



I get no pop-ups or dialogues asking if I want to display the insecure content.



Clicking on the padlock to get the details shows the following message, which implies that the insecure resources were displayed and not blocked:




Your connection to mail.google.com is encrypted with 128-bit
encryption. However, this page includes other resources which are not
secure. These resources can be viewed by others while in transit, and
can be modified by an attacker to change the look of the page.




I'm using Chrome 30.0.1599.101 on OSX, but I've seen this previously in older versions.



*Strictly speaking I'm using google apps for domains, ie, my current employer use gmail for their domain's email. Checking the javascript log (instructions)shows that the insecure content was due to a logo of my employer downloaded via an insecure connection. Getting them to fix that would also help of course - but that's outside the scope of this question.










share|improve this question























  • Are you essentially asking whether Chrome has settings equivalent to Firefox's security.mixed_content.block_display_content and security.mixed_content.upgrade_display_content configuration options?

    – sampablokuper
    Feb 6 at 16:15














2












2








2


1






In Chrome I've noticed that I occasionally get mixed-content warnings in the url bar, eg:



gmail mixed content ssl warning



Can I configure Chrome to block mixed content, not just warn about it (or, if I have accidentally dismissed a warning before - reset the default).



The reasoning being - this tells me nicely, after the bad thing has happened. I'd rather the bad thing was blocked - after which, by all means warn me.



Details:



I'm using Gmail*, so it's not just the little sites, but I've seen it on other websites.



I get no pop-ups or dialogues asking if I want to display the insecure content.



Clicking on the padlock to get the details shows the following message, which implies that the insecure resources were displayed and not blocked:




Your connection to mail.google.com is encrypted with 128-bit
encryption. However, this page includes other resources which are not
secure. These resources can be viewed by others while in transit, and
can be modified by an attacker to change the look of the page.




I'm using Chrome 30.0.1599.101 on OSX, but I've seen this previously in older versions.



*Strictly speaking I'm using google apps for domains, ie, my current employer use gmail for their domain's email. Checking the javascript log (instructions)shows that the insecure content was due to a logo of my employer downloaded via an insecure connection. Getting them to fix that would also help of course - but that's outside the scope of this question.










share|improve this question














In Chrome I've noticed that I occasionally get mixed-content warnings in the url bar, eg:



gmail mixed content ssl warning



Can I configure Chrome to block mixed content, not just warn about it (or, if I have accidentally dismissed a warning before - reset the default).



The reasoning being - this tells me nicely, after the bad thing has happened. I'd rather the bad thing was blocked - after which, by all means warn me.



Details:



I'm using Gmail*, so it's not just the little sites, but I've seen it on other websites.



I get no pop-ups or dialogues asking if I want to display the insecure content.



Clicking on the padlock to get the details shows the following message, which implies that the insecure resources were displayed and not blocked:




Your connection to mail.google.com is encrypted with 128-bit
encryption. However, this page includes other resources which are not
secure. These resources can be viewed by others while in transit, and
can be modified by an attacker to change the look of the page.




I'm using Chrome 30.0.1599.101 on OSX, but I've seen this previously in older versions.



*Strictly speaking I'm using google apps for domains, ie, my current employer use gmail for their domain's email. Checking the javascript log (instructions)shows that the insecure content was due to a logo of my employer downloaded via an insecure connection. Getting them to fix that would also help of course - but that's outside the scope of this question.







google-chrome security






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 6 '13 at 18:02









Andrew MAndrew M

156112




156112













  • Are you essentially asking whether Chrome has settings equivalent to Firefox's security.mixed_content.block_display_content and security.mixed_content.upgrade_display_content configuration options?

    – sampablokuper
    Feb 6 at 16:15



















  • Are you essentially asking whether Chrome has settings equivalent to Firefox's security.mixed_content.block_display_content and security.mixed_content.upgrade_display_content configuration options?

    – sampablokuper
    Feb 6 at 16:15

















Are you essentially asking whether Chrome has settings equivalent to Firefox's security.mixed_content.block_display_content and security.mixed_content.upgrade_display_content configuration options?

– sampablokuper
Feb 6 at 16:15





Are you essentially asking whether Chrome has settings equivalent to Firefox's security.mixed_content.block_display_content and security.mixed_content.upgrade_display_content configuration options?

– sampablokuper
Feb 6 at 16:15










2 Answers
2






active

oldest

votes


















1














Chrome blocks some insecure high-risk content (javascript) and allows other lower risk content (images)



Visit this strange ie mixed content test page, and look at the javascript console. You can see that images are displayed (with warnings in the console) but insecure scripts are blocked.



This is ok, but not great. A malicious man-in-the-middle could still track a user in this way. I'd still like the option to block all of the insecure content.



Firefox 23+ also has this feature (verified by me on the test page above in Firefox 24) in that it blocks the javascript (which firefox call "active content", but not the images "passive content").



With respect to Gmail specifically, I found this life hacker article on gmail security icons. which explained that I probably downloaded external images into an email... which triggers the warning, and because Gmail is a single page app, and doesn't normally reload, the yellow padlock never goes away. Refresh the page, and it goes green again.






share|improve this answer































    0














    Chrome and Chromium have (or at least, have had, at times in their history) some relevant command-line flags for this:





    • --no-displaying-insecure-content reportedly overrides the fact that "By default, an https page can load images, fonts or frames from an http page."


    • --enable-strict-mixed-content-checking reportedly "Blocks all insecure requests from secure contexts, and prevents the user from overriding that decision," which sounds like what you are after.


    • --enable-potentially-annoying-security-features reportedly "Enables a number of potentially annoying security features (strict mixed content mode, powerful feature restrictions, etc.)," which sounds as though it is equivalent to using --enable-strict-mixed-content-checking and some other, unspecified flags.






    share|improve this answer























      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "3"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f670499%2fcan-i-configure-chrome-to-block-insecure-content-on-mixed-pages%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      1














      Chrome blocks some insecure high-risk content (javascript) and allows other lower risk content (images)



      Visit this strange ie mixed content test page, and look at the javascript console. You can see that images are displayed (with warnings in the console) but insecure scripts are blocked.



      This is ok, but not great. A malicious man-in-the-middle could still track a user in this way. I'd still like the option to block all of the insecure content.



      Firefox 23+ also has this feature (verified by me on the test page above in Firefox 24) in that it blocks the javascript (which firefox call "active content", but not the images "passive content").



      With respect to Gmail specifically, I found this life hacker article on gmail security icons. which explained that I probably downloaded external images into an email... which triggers the warning, and because Gmail is a single page app, and doesn't normally reload, the yellow padlock never goes away. Refresh the page, and it goes green again.






      share|improve this answer




























        1














        Chrome blocks some insecure high-risk content (javascript) and allows other lower risk content (images)



        Visit this strange ie mixed content test page, and look at the javascript console. You can see that images are displayed (with warnings in the console) but insecure scripts are blocked.



        This is ok, but not great. A malicious man-in-the-middle could still track a user in this way. I'd still like the option to block all of the insecure content.



        Firefox 23+ also has this feature (verified by me on the test page above in Firefox 24) in that it blocks the javascript (which firefox call "active content", but not the images "passive content").



        With respect to Gmail specifically, I found this life hacker article on gmail security icons. which explained that I probably downloaded external images into an email... which triggers the warning, and because Gmail is a single page app, and doesn't normally reload, the yellow padlock never goes away. Refresh the page, and it goes green again.






        share|improve this answer


























          1












          1








          1







          Chrome blocks some insecure high-risk content (javascript) and allows other lower risk content (images)



          Visit this strange ie mixed content test page, and look at the javascript console. You can see that images are displayed (with warnings in the console) but insecure scripts are blocked.



          This is ok, but not great. A malicious man-in-the-middle could still track a user in this way. I'd still like the option to block all of the insecure content.



          Firefox 23+ also has this feature (verified by me on the test page above in Firefox 24) in that it blocks the javascript (which firefox call "active content", but not the images "passive content").



          With respect to Gmail specifically, I found this life hacker article on gmail security icons. which explained that I probably downloaded external images into an email... which triggers the warning, and because Gmail is a single page app, and doesn't normally reload, the yellow padlock never goes away. Refresh the page, and it goes green again.






          share|improve this answer













          Chrome blocks some insecure high-risk content (javascript) and allows other lower risk content (images)



          Visit this strange ie mixed content test page, and look at the javascript console. You can see that images are displayed (with warnings in the console) but insecure scripts are blocked.



          This is ok, but not great. A malicious man-in-the-middle could still track a user in this way. I'd still like the option to block all of the insecure content.



          Firefox 23+ also has this feature (verified by me on the test page above in Firefox 24) in that it blocks the javascript (which firefox call "active content", but not the images "passive content").



          With respect to Gmail specifically, I found this life hacker article on gmail security icons. which explained that I probably downloaded external images into an email... which triggers the warning, and because Gmail is a single page app, and doesn't normally reload, the yellow padlock never goes away. Refresh the page, and it goes green again.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 6 '13 at 18:30









          Andrew MAndrew M

          156112




          156112

























              0














              Chrome and Chromium have (or at least, have had, at times in their history) some relevant command-line flags for this:





              • --no-displaying-insecure-content reportedly overrides the fact that "By default, an https page can load images, fonts or frames from an http page."


              • --enable-strict-mixed-content-checking reportedly "Blocks all insecure requests from secure contexts, and prevents the user from overriding that decision," which sounds like what you are after.


              • --enable-potentially-annoying-security-features reportedly "Enables a number of potentially annoying security features (strict mixed content mode, powerful feature restrictions, etc.)," which sounds as though it is equivalent to using --enable-strict-mixed-content-checking and some other, unspecified flags.






              share|improve this answer




























                0














                Chrome and Chromium have (or at least, have had, at times in their history) some relevant command-line flags for this:





                • --no-displaying-insecure-content reportedly overrides the fact that "By default, an https page can load images, fonts or frames from an http page."


                • --enable-strict-mixed-content-checking reportedly "Blocks all insecure requests from secure contexts, and prevents the user from overriding that decision," which sounds like what you are after.


                • --enable-potentially-annoying-security-features reportedly "Enables a number of potentially annoying security features (strict mixed content mode, powerful feature restrictions, etc.)," which sounds as though it is equivalent to using --enable-strict-mixed-content-checking and some other, unspecified flags.






                share|improve this answer


























                  0












                  0








                  0







                  Chrome and Chromium have (or at least, have had, at times in their history) some relevant command-line flags for this:





                  • --no-displaying-insecure-content reportedly overrides the fact that "By default, an https page can load images, fonts or frames from an http page."


                  • --enable-strict-mixed-content-checking reportedly "Blocks all insecure requests from secure contexts, and prevents the user from overriding that decision," which sounds like what you are after.


                  • --enable-potentially-annoying-security-features reportedly "Enables a number of potentially annoying security features (strict mixed content mode, powerful feature restrictions, etc.)," which sounds as though it is equivalent to using --enable-strict-mixed-content-checking and some other, unspecified flags.






                  share|improve this answer













                  Chrome and Chromium have (or at least, have had, at times in their history) some relevant command-line flags for this:





                  • --no-displaying-insecure-content reportedly overrides the fact that "By default, an https page can load images, fonts or frames from an http page."


                  • --enable-strict-mixed-content-checking reportedly "Blocks all insecure requests from secure contexts, and prevents the user from overriding that decision," which sounds like what you are after.


                  • --enable-potentially-annoying-security-features reportedly "Enables a number of potentially annoying security features (strict mixed content mode, powerful feature restrictions, etc.)," which sounds as though it is equivalent to using --enable-strict-mixed-content-checking and some other, unspecified flags.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Feb 6 at 16:25









                  sampablokupersampablokuper

                  1,21941733




                  1,21941733






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Super User!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f670499%2fcan-i-configure-chrome-to-block-insecure-content-on-mixed-pages%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      How to make a Squid Proxy server?

                      Is this a new Fibonacci Identity?

                      19世紀