Chrome 14 Blocks Insecure JavaScript

Chrome 14, only available in the Dev and Canary channels right now, adds a security feature that could affect a lot of sites. If you're visiting an SSL site that loads some scripts using unencrypted connections, Chrome will refuse to load the scripts.


When a website is secured via HTTPS, the web site designer must also ensure that all of the scripts used by the page will be delivered in the same secure manner as the main page itself. The same requirements also apply to the plugins and external CSS stylesheets used by the page, as these have the same considerations as javascript. When this is not the case (sometimes called a 'mixed script' situation), visitors to the site run the risk that attackers can interfere with the website and change the script so as to serve their own purposes.

Traditionally, browsers have run the mixed script, genuine or not, and notified you after-the-fact by a broken lock icon, a dialog box, or a red https:// in the location bar (in the case of Google Chrome). The problem with this approach is that by the time the script has run, it is already too late, because the script has had access to all of the data on the page. Google Chrome now protects you by refusing up-front to run any script on a secure page unless it is also being delivered over HTTPS.

You can bypass this feature by clicking "Load anyway" in the infobar displayed at the top of the page, but Chrome doesn't remember your preference. Unfortunately, you can't whitelist a domain or a subdomain, so you'll have to click "Load anyway" and wait until the page is reloaded. There's a command-line flag that lets you disable this feature: --allow-running-insecure-content, but Google says that it should only be used by "users and admins who have internal applications without immediate fixes for these errors".

Chrome has recently added many other security features, including a function for generating strong random numbers, a way to force HTTPS for any domain you want, an initial implementation of Content Security Policy that helps protect against Cross Site Scripting and a more secure Gmail that uses HTTPS for all connections, even when you type "gmail.com" in the address bar.

Labels

Web Search Gmail Google Docs Mobile YouTube Google Maps Google Chrome User interface Tips iGoogle Social Google Reader Traffic Making Devices cpp programming Ads Image Search Google Calendar tips dan trik Google Video Google Translate web programming Picasa Web Albums Blogger Google News Google Earth Yahoo Android Google Talk Google Plus Greasemonkey Security software download info Firefox extensions Google Toolbar Software OneBox Google Apps Google Suggest SEO Traffic tips Book Search API Acquisitions InOut Visualization Web Design Method for Getting Ultimate Traffic Webmasters Google Desktop How to Blogging Music Nostalgia orkut Google Chrome OS Google Contacts Google Notebook SQL programming Google Local Make Money Windows Live GDrive Google Gears April Fools Day Google Analytics Google Co-op visual basic Knowledge java programming Google Checkout Google Instant Google Bookmarks Google Phone Google Trends Web History mp3 download Easter Egg Google Profiles Blog Search Google Buzz Google Services Site Map for Ur Site game download games trick Google Pack Spam cerita hidup Picasa Product's Marketing Universal Search FeedBurner Google Groups Month in review Twitter Traffic AJAX Search Google Dictionary Google Sites Google Update Page Creator Game Google Finance Google Goggles Google Music file download Annoyances Froogle Google Base Google Latitude Google Voice Google Wave Google Health Google Scholar PlusBox SearchMash teknologi unik video download windows Facebook Traffic Social Media Marketing Yahoo Pipes Google Play Google Promos Google TV SketchUp WEB Domain WWW World Wide Service chord Improve Adsence Earning jurnalistik sistem operasi AdWords Traffic App Designing Tips and Tricks WEB Hosting linux How to Get Hosting Linux Kernel WEB Errors Writing Content award business communication ubuntu unik