While there’s wide HTTPS adoption today, HTTP content on secure pages still persists. Google has been working to stamp that out, and Chrome is now turning its attention to and warning about insecure forms.

These “mixed forms” (forms on HTTPS sites that do not submit on HTTPS) are a risk to users’ security and privacy. Information submitted on these forms can be visible to eavesdroppers, allowing malicious parties to read or change sensitive form data. 

The Google browser today removes the address bar’s lock icon from sites with mixed forms. However, this proved to deliver an “unclear” experience that “did not effectively communicate the risks associated with submitting data in insecure forms.”

Starting in version 86, due to hit stable in October, Chrome will provide a more aggressive warning about insecure forms. Autofill will be disabled, but the built-in password manager will continue to offer “unique passwords.” The company argues it’s safer than reusing credentials.

Next, the form will show red warning text underneath the field: “This form is not secure. Autofill has been turned off. The last measure will throw up a full-page warning communicating the potential risks. It gives users an option to cancel the action, but there will be a “Send anyway” button. 

Site developers are encouraged to “fully migrate forms on their site to HTTPS to protect their users.”

Developers with questions are welcome to email us at security-dev@chromium.org.

Other initiatives in this vein include:

FTC: We use income earning auto affiliate links. More.


Check out 9to5Google on YouTube for more news:

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author