Google Chrome Disables Insecure Form Warnings After Complaints

Google has disabled a feature that displays a warning when submitting insecure forms after receiving many complaints from users and website administrators.

Google has been focusing on removing mixed-content in Google Chrome, when a secure page (HTTPS) loads content from an insecure (HTTP) URL. As part of this initiative, Google rolled out a new feature in Chrome 86 that warns users when submitting insecure forms from a secure (HTTPS) page to an insecure (HTTP) URL.

Submitting an insecure form would display a warning about the risks of doing so and asks the user if they wish to continue submitting the information.

With the release of Chrome 87, this new feature went live for everyone, and many website administrators began reporting problems in a Chromium bug report.

Also Read: Going Beyond DPO Meaning: Ever Heard of Outsourced DPO?

The problem is that Google Chrome would show the insecure form warning even if the form submissions were secure, but the user was redirected to an HTTP URL after submitting the form.

For example, a form submission flow of HTTPS Form > HTTPS URL > Redirect to HTTP URL would generate a warning in Chrome, even though the form was submitted securely. These warnings would then break the redirect chain websites use after submitting a form or logging into the site.

Chrome users say that this is a bug as the form submissions are secure, and only the redirect went to an HTTP URL.

Google disables feature while they make changes

On December 15th, Google software engineer Carlos Joan Rafael Ibarra Lopez stated that they are disabling the feature in Chrome 87 to adjust it, so HTTP redirects after a secure form submission do not generate a warning.

“After considering the unexpectedly large impact this change had on form submissions that involve redirects through HTTP sites, we have decided to roll back the change for Chrome 87. We expect the configuration to be out later today, at which point it will take effect on the next Chrome restart. I’ll ping this bug with updates.

We are planning to re-enable the warnings in Chrome 88 (tentatively going to stable on January 19, 2021), but warning only on forms that directly submit to http://, or that redirect to http:// with the form data preserved through the redirect, so it won’t trigger for the cases mentioned in this bug where the http:// hop didn’t carry the form data.

That being said, I still encourage sites to keep https:// throughout the whole redirect chain, as http:// steps still compromise user privacy (by exposing the form target location) even if no form data is being exposed.

Apologies for the issues caused by this new warning.”

The rollback has already been pushed to Google Chrome, and users who are still seeing these errors should restart the browser to get the new configuration change.

Lopez recommends that users test their sites by enabling the “Mixed forms interstitial” flag in chrome://flags before Chrome 88 is released to make sure their forms and redirects are working as expected.

“Re #210: This behavior can be enabled by switching the “Mixed forms interstitial” feature on from chrome://flags. If you do it in the current version of Chrome this will enable the stricter behavior that we had in 87 (it will eventually be changed to match what we plan to relaunch in 88), but if you check your website doesn’t trigger a warning with this behavior, it will definitely not trigger one in 88, since enforcement will be less strict.”

Also Read: 5 Common Sections in an Agreement Form Example

Google will enable this feature again in Chrome 88, which is expected to be released on January 19th, 2021.