Can I configure Chrome to block insecure content on mixed pages

In Chrome I've noticed that I occasionally get mixed-content warnings in the url bar, eg:

gmail mixed content ssl warning

Can I configure Chrome to block mixed content, not just warn about it (or, if I have accidentally dismissed a warning before - reset the default).

The reasoning being - this tells me nicely, after the bad thing has happened. I'd rather the bad thing was blocked - after which, by all means warn me.

Details:

I'm using Gmail*, so it's not just the little sites, but I've seen it on other websites.

I get no pop-ups or dialogues asking if I want to display the insecure content.

Clicking on the padlock to get the details shows the following message, which implies that the insecure resources were displayed and not blocked:

Your connection to mail.google.com is encrypted with 128-bit encryption. However, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the look of the page.

I'm using Chrome 30.0.1599.101 on OSX, but I've seen this previously in older versions.

*Strictly speaking I'm using google apps for domains, ie, my current employer use gmail for their domain's email. Checking the javascript log (instructions)shows that the insecure content was due to a logo of my employer downloaded via an insecure connection. Getting them to fix that would also help of course - but that's outside the scope of this question.

Andrew M

Posted 2013-11-06T18:02:07.377

Reputation: 176

Are you essentially asking whether Chrome has settings equivalent to Firefox's security.mixed_content.block_display_content and security.mixed_content.upgrade_display_content configuration options? – sampablokuper – 2019-02-06T16:15:28.500

Answers

Chrome and Chromium have (or at least, have had, at times in their history) some relevant command-line flags for this:

--no-displaying-insecure-content reportedly overrides the fact that "By default, an https page can load images, fonts or frames from an http page."
--enable-strict-mixed-content-checking reportedly "Blocks all insecure requests from secure contexts, and prevents the user from overriding that decision," which sounds like what you are after.
--enable-potentially-annoying-security-features reportedly "Enables a number of potentially annoying security features (strict mixed content mode, powerful feature restrictions, etc.)," which sounds as though it is equivalent to using --enable-strict-mixed-content-checking and some other, unspecified flags.

sampablokuper

Posted 2013-11-06T18:02:07.377

Reputation: 2 389

Chrome blocks some insecure high-risk content (javascript) and allows other lower risk content (images)

Visit this strange ie mixed content test page, and look at the javascript console. You can see that images are displayed (with warnings in the console) but insecure scripts are blocked.

This is ok, but not great. A malicious man-in-the-middle could still track a user in this way. I'd still like the option to block all of the insecure content.

Firefox 23+ also has this feature (verified by me on the test page above in Firefox 24) in that it blocks the javascript (which firefox call "active content", but not the images "passive content").

With respect to Gmail specifically, I found this life hacker article on gmail security icons. which explained that I probably downloaded external images into an email... which triggers the warning, and because Gmail is a single page app, and doesn't normally reload, the yellow padlock never goes away. Refresh the page, and it goes green again.

Andrew M

Posted 2013-11-06T18:02:07.377

Reputation: 176