We’ve all become used to websites utilizing HTTPS, especially as browsers pop-up warnings for non-HTTPS web pages, but Chrome version 86 is going a step further and targeting web forms.
In a post on the Chromium Blog, Shweta Panditrao from the Chrome Security Team has announced that Chrome 86 is introducing more security around web forms. The problem being tackled is known as “mixed forms.” That’s the term used for when a user is presented with a web form served using a secure HTTPS link, but when the form is filled in and the user clicks the button to send it, the submission happens using an insecure (non-HTTPS) connection.
There’s no easy way for the user to tell if the submission process is secure before filling out the form and submitting it, but Chrome 86 will know and can warn the user. When a mixed form is detected, Chrome will disable the Autofill feature so you don’t automatically fill it with personal information. Then, if the user begins to fill out the form manually, a warning text box will appear “alerting them that the form is not secure.” If the user continues anyway and attempts to submit the form, “they will see a full page warning alerting them of the potential risk and confirming if they’d like to submit anyway.”
If by that point the user hasn’t realized it’s risky to use the form, then the blame lies with them for continuing. Google can’t really do much more than visually warning the user twice. On the flip side, knowing these warnings are being introduced will hopefully encourage more developers and website owners to invest their time ensuring any web forms they use submit the information contained in the form securely.
The Chrome 86 Beta is set to start at some point between Sep. 3-10 and will be followed by a Stable release on Oct. 6. Before that, Chrome 85 is set to be released in Stable form next week on Aug. 25, but you can grab the beta right now.
