This past Monday, 17 August 2020, Google made the following post in its Chromium Blog: Protecting Google Chrome users from insecure forms.
The next version of Chrome is M86, and is expected to be coming out in Beta September 3rd to 10th and to have a stable release on October 6th as reported here: Chrome Platform Status.
The announcement makes the following statements:
Chrome will be making the following changes to communicate the risks associated with mixed form submission:
- Autofill will be disabled on mixed forms.
Note: On mixed forms with login and password prompts, Chrome’s password manager will continue to work. Chrome’s password manager helps users input unique passwords, and it is safer to use unique passwords even on forms that are submitted insecurely, than to reuse passwords.- When a user begins filling out a mixed form, they will see warning text alerting them that the form is not secure.
- If a user tries to submit a mixed form, they will see a full page warning alerting them of the potential risk and confirming if they’d like to submit anyway.
If you are unsure whether you have mixed content on a site of yours the following tool will crawl your site and let you know:
MissingPadlock.com/
For this weeks poll I ask if you have sites using http rather than https for forms. If you do, then user interaction with your site will take a turn for the worse, at least for users of the latest version of Chrome, in October. Please share your thoughts about the change, and if you plan any changes based on this new announcement by Google.
For my part, I can say that we decided a few weeks ago that we were going to be actively converting all of the sites we had not yet converted to https over the course of the next month. I'm certainly glad we made that decision already given this latest announcement. That will, of course, include the GPWA website, for those of you who have been patiently waiting for that change. It is one of only a couple sites of ours that currently makes extensive use of forms that are not served using https.
Michael