Chrome 14 blocks unencrypted scripts on secure sites
updated 09:55 pm EDT, Wed June 22, 2011
Users can still choose to load page anyway
Google appears to have revamped the security features in Chrome 14, an update to the company's browser that is still in beta development. The build currently blocks secure sites from using unencrypted scripts on pages that are supposed to be protected via HTTPS protocols. Aside from JavaScript scripts, the blocks also extend to plug-ins and external CSS stylesheets.
In a post on Google's Chrome support site, the company explains that current browsers only notify users after the insecure scripts have been allowed to run. If the sites happen to be compromised by an attacker using the insecure scripts as an exploit, the damage may have already been done by the time a user realizes that there is a security issue.
Rather than highlighting mixed script sites with a red 'https://' in the location bar, Chrome 14 blocks sites from running any scripts that are not also protected by HTTPS. Users may notice that some sites do not properly display, however the browser will provide a "Allow Anyway" option for bypassing the protection system. The browser also includes a mechanism for notifying site owners of potential problems. [via Google Operating System]
Via Facebook
Joined: Jun 2011
Awesome!
I mean, it's bound to become a nightmare for users and webmasters by the time it rolls down to the stable channel, but from a security standpoint, it's a much-needed step forward.