Chrome 86 will prominently warn about insecure forms on secure pages
Entering information into and submitting it through insecure online forms will come with very explicit warnings in the upcoming Chrome 86, Google has announced.
The new alerts
The browser will show a warning when a user begins filling out a mixed form (a form on a HTTPS site that does not submit through an HTTPS channel) and when a user tries to submit a mixed form.
“Before M86, mixed forms were only marked by removing the lock icon from the address bar. We saw that users found this experience unclear and it did not effectively communicate the risks associated with submitting data in insecure forms,” Shweta Panditrao, a software engineer with the Chrome Security Team, explained.
The last warning will be especially impossible to miss, as it will be shown on a full page:
The submission of the info will be temporarily blocked and it’s on users to decide if they want to risk it and override the block to submit the form anyway.
Google is also planning to disable the autofill feature of the browser’s password manager on all mixed forms except login forms (forms that require users to enter their username and password).
“Chrome’s password manager helps users input unique passwords, and it is safer to use unique passwords even on forms that are submitted insecurely, than to reuse passwords,” Panditrao explained the rationale for that exception.
Simultaneously, Google encouraged developers to fully migrate forms on their site to HTTPS to protect their users.
Google’s push towards HTTPS and blocking mixed content
For many years, Google has been working on making HTTPS the standard for any and every online action.
In 2014, the company started prioritizing websites using HTTPS in Google Search results.
In 2017, Chrome started labeling sites that transmit passwords or credit cards information over HTTP as “Not secure”. Later that same year, Chrome started showing the same alert for resources delivered over the FTP protocol.
Then, in 2018, Chrome began explicitly marking all HTTP sites as “not secure”.
In 2019, Google published roadmap for Chrome’s gradual but inexorable push towards blocking mixed content (insecure HTTP subresources – images, audio, and video – loading on HTTPS pages).
Earlier this year, it did the same for mixed content downloads, and effort that is supposed to be finalized in Chrome 86, which is slated to be released in October 2020.