With the release of Chrome 46, the Chrome security team has announced a change in how the Chrome browser will display sites with mixed content.
HTTPS sites with mixed content will now appear to visitors to be the same as a regular HTTP unsecured site in Chrome (as shown below), and when you have purchased an SSL to secure your site, you don’t want that to happen.
(Image credit: Google Online Security Blog)
In Chrome's recent blog they stated two reasons for this change firstly to better visually indicate the security state of a page relative to HTTP and provide fewer security states to learn for Chrome users.
It’s great to see Chrome move to a more simplified approach for displaying SSL security. Expecting a visitor to differentiate between secure and non-secure elements embedded into a page that is being delivered over SSL is unreasonable and unnecessary. A visitor should only be concerned with "secure" or "not secure", there is no need to understand the nuances of an in-between state.
The end result is a user experience that should (in time) not require understanding of the principles or relevance of mixed content.
Why the Mixed Content Error?
Mixed content occurs when a webpage containing a combination of both secure (HTTPS) and non-secure (HTTP) content is delivered over SSL to the browser. Non-secure content can theoretically be read or modified by attackers, even though the parent page is served over HTTPs. Mixed content errors are a concern because modern websites are increasingly dynamic and built from many different live data sources or third party elements such as social media feeds, analytics code, advertising etc.
The best solution, of course, is to make sure that these warnings and/or blocks won’t occur in the first place by correctly configuring your site to serve only secure content.
Learn more about fixing mixed content issues by reading our blog "How to Fix Mixed Content Warnings on your SSL Website"