Can I configure Chrome to block insecure content on mixed pages
Solution 1:
Chrome blocks some insecure high-risk content (javascript) and allows other lower risk content (images)
Visit this strange ie mixed content test page, and look at the javascript console. You can see that images are displayed (with warnings in the console) but insecure scripts are blocked.
This is ok, but not great. A malicious man-in-the-middle could still track a user in this way. I'd still like the option to block all of the insecure content.
Firefox 23+ also has this feature (verified by me on the test page above in Firefox 24) in that it blocks the javascript (which firefox call "active content", but not the images "passive content").
With respect to Gmail specifically, I found this life hacker article on gmail security icons. which explained that I probably downloaded external images into an email... which triggers the warning, and because Gmail is a single page app, and doesn't normally reload, the yellow padlock never goes away. Refresh the page, and it goes green again.
Solution 2:
Chrome and Chromium have (or at least, have had, at times in their history) some relevant command-line flags for this:
-
--no-displaying-insecure-content
reportedly overrides the fact that "By default, an https page can load images, fonts or frames from an http page." -
--enable-strict-mixed-content-checking
reportedly "Blocks all insecure requests from secure contexts, and prevents the user from overriding that decision," which sounds like what you are after. -
--enable-potentially-annoying-security-features
reportedly "Enables a number of potentially annoying security features (strict mixed content mode, powerful feature restrictions, etc.)," which sounds as though it is equivalent to using--enable-strict-mixed-content-checking
and some other, unspecified flags.