June 22, 2011

Chrome 14 Blocks Insecure JavaScript

Chrome 14, only available in the Dev and Canary channels right now, adds a security feature that could affect a lot of sites. If you're visiting an SSL site that loads some scripts using unencrypted connections, Chrome will refuse to load the scripts.


When a website is secured via HTTPS, the web site designer must also ensure that all of the scripts used by the page will be delivered in the same secure manner as the main page itself. The same requirements also apply to the plugins and external CSS stylesheets used by the page, as these have the same considerations as javascript. When this is not the case (sometimes called a 'mixed script' situation), visitors to the site run the risk that attackers can interfere with the website and change the script so as to serve their own purposes.

Traditionally, browsers have run the mixed script, genuine or not, and notified you after-the-fact by a broken lock icon, a dialog box, or a red https:// in the location bar (in the case of Google Chrome). The problem with this approach is that by the time the script has run, it is already too late, because the script has had access to all of the data on the page. Google Chrome now protects you by refusing up-front to run any script on a secure page unless it is also being delivered over HTTPS.

You can bypass this feature by clicking "Load anyway" in the infobar displayed at the top of the page, but Chrome doesn't remember your preference. Unfortunately, you can't whitelist a domain or a subdomain, so you'll have to click "Load anyway" and wait until the page is reloaded. There's a command-line flag that lets you disable this feature: --allow-running-insecure-content, but Google says that it should only be used by "users and admins who have internal applications without immediate fixes for these errors".

Chrome has recently added many other security features, including a function for generating strong random numbers, a way to force HTTPS for any domain you want, an initial implementation of Content Security Policy that helps protect against Cross Site Scripting and a more secure Gmail that uses HTTPS for all connections, even when you type "gmail.com" in the address bar.

15 comments:

  1. As far as now I saw it only on igoogle.com aka google.com/ig and what is rather funny ;-) it goes from talkgadget created by Google which is integral part of iGoogle ;-)

    ReplyDelete
  2. Good job on Chromes part. I hope it doesn't bitch about bookmarklets.

    ReplyDelete
  3. It drives me insane in Google Reader.

    ReplyDelete
  4. The occasional image-based ads that appear in Gmail break the HTTPS connection. I wonder if Google will practice what it's preaching? LOL

    ReplyDelete
  5. Kalleguld

    Yes it DOES bitch bookmarklets, if you don't it the "load anyway" option it deactivates all my bookmarklets and the problem is that there is no option to active it afterwards you have to close all instance of Chrome Browser 14.

    ReplyDelete
  6. Does Google know this behaviour prevents Google Contacts APIs (for JavaScript) from working?

    ReplyDelete
  7. we are using the developer version, this feature is still in development

    ReplyDelete
  8. It also bitch a lot on FaceBook and causes continous reloads of Google Reader

    ReplyDelete
  9. Interesting, considering AdSenses doesn't support SSL.

    Good move, nonetheless.

    ReplyDelete
  10. Still needs *serious* work as it breaks many sites and causes problems on many others... some Google sites in particular, like Reader. Good in concept, but a poor implementation... so far.

    ReplyDelete
  11. each time I open Gmail account, I see this message on the top of the page "this page has insecure content" give me 2 options: Don't load (Recommended) Or load anyway. I see that each time. How can I fix that? I don't to see this Alert anymore. Thank you

    ReplyDelete
  12. Check your extensions. They are unsafe. Really guys, who knows what your grammar checker (or another extension) will do? If it has accesses to ssl page it is wrong. Extensions developers will react soon.

    ReplyDelete
  13. I get this on Facebook and when I click don't load, load anyway or try to exit - it won't function. Very frustrating!

    ReplyDelete
  14. I'm only seeing this on Facebook. When I try to click Don't Load, Load Anyway or Exit - the buttons don't function. I may have to just move back IE. UGH

    ReplyDelete
  15. To Anonymous---Who the Hell are you? Are you a developer? if so, this feature interferes with quite a bit that I do. If you actually have reasonable info sources regarding this, please share or id yourself. Don't do "Anonymous"--We don't know if you're talking truth or out of your butt. Oh--and this page we're on is also affected by this guff.

    ReplyDelete

Note: Only a member of this blog may post a comment.