Google makes life easier for mixed-content sysadmins

Serve HTTPS without remaking your HTTP content

Rejoice, sys admins with big non-encrypted image databases: Google feels your pain and says the next version of Chromium, 43, will provide some relief.

One of the challenges, the Chocolate Factory reckons, is that old sites with lots of non-HTTPS resources can't be migrated with a simple flick of the switch.

In current browsers, including Chromium 42, this leads to a warning that the secured page contains insecure elements – something that requires users to decide whether to keep browsing or close the window.

As Google says here, “mixed content checking causes headaches”, so it's putting a new command in the coming version.

In this blog post, Google says the change is implemented with a new Content Security Policy directive, upgrade-insecure-resources.

If all of the content is under your control, Google says, “the recommend approach is to enable it via a HTTP response header, Content-Security-Policy: upgrade-insecure-requests”.

If the insecure elements are served from a server you don't control, the policy can be enforced via your page's <head>, using <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">.

The feature is demonstrated here, an HTTP PNG image converted on-the-fly to HTTPS.

Google demonstrates new HTTPs feature

There's also a new permissions API, described here, that allows a Web server to check the user's permissions for features like geolocation, push, notification and Web MIDI.

Instead of the user getting permission requests during page load, a page can include a permissions.query() to check whether a user has already granted a permission to the remote site. ®

Similar topics

Other stories you might like

Biting the hand that feeds IT © 1998–2021