Google is going a step further to protect people’s information when they try to submit details through unsecured web forms. Starting in the M86 build, Chrome will raise a red flag on forms that are on secure HTTPS pages, but aren’t actually submitted securely. Details sent through these “mixed forms” are potentially visible to lurkers, who might read or change information.
Until now, Chrome only marked mixed forms by removing the lock icon (which is supposed to indicate that your connection to a site is secure) from the address bar. “We saw that users found this experience unclear and it did not effectively communicate the risks associated with submitting data in insecure forms,” Chrome security team member Shweta Panditrao wrote in a blog post.
Moving forward, Chrome will disable autofill on mixed forms, so that the page isn’t automatically populated with potentially sensitive or private information about you. If a mixed form has login or password prompts, you’ll still be able to use Chrome’s password manager. That helps people enter unique passwords and it’s “safer to use unique passwords even on forms that are submitted insecurely, than to reuse passwords,” Panditrao wrote.
If you start entering details on a mixed form, a warning will pop up to tell you it’s not secure. When you try to submit such a form, a full-page alert will explain the potential risks of doing so, and ask if you’d like to continue anyway.
This appears to be part of a plan Google announced last October to block HTTP subresources on HTTPS pages by default in Chrome. That’s been a gradual process. Tackling mixed forms is a positive move, and hopefully it’ll prompt more developers to migrate forms on their sites to HTTPS.