Google disables insecure form warnings feature in their latest Chrome 87 release
After receiving many complain from users and website runners, Chrome finally disables the feature that displays a warning when submitting insecure forms.
Beginning with M86, Chrome warns users when they try to complete forms on secure (HTTPs) pages that they submitted insecurely as these mixed forms create risk to users’ security and privacy.
The information submitted on these forms can easily be visible to eavesdroppers, allowing them read or change the sensitive data. Submitting such insecure forms would display a warning about such risks and ask the users if they wish to continue submitting the information.
The problem with this feature, as many website administrators reported on Chromium bug report with the Chrome 87 release is that the Google Chrome would show insecure form warning even when the form submission was secure. The users are redirected to HTTP URL after the submission.
After such reports, Caralos Joan Rafael Ibarra Lopez, Google Software engineer, stated on December 15th that they are disabling this feature in Chrome 87 to adjust it so that HTTP redirects after a secure form submission do not generate a warning.
“After considering the unexpectedly large impact this change had on form submissions that involve redirects through HTTP sites, we have decided to roll back the change for Chrome 87. We expect the configuration to be out later today, at which point it will take effect on the next Chrome restart. I’ll ping this bug with updates.
We are planning to re-enable the warnings in Chrome 88 (tentatively going to stable on January 19, 2021), but warning only on forms that directly submit to http://, or that redirect to http:// with the form data preserved through the redirect, so it won’t trigger for the cases mentioned in this bug where the http:// hop didn’t carry the form data.
That being said, I still encourage sites to keep https:// throughout the whole redirect chain, as http:// steps still compromise user privacy (by exposing the form target location) even if no form data is being exposed.
Apologies for the issues caused by this new warning.”
The rollback has been pushed to Google Chrome. Users who are still seeing such errors should restart their browsers to get the new configuration change. To test whether their forms and redirects are working as expected, as Lopez said, users should enable “Mixed forms interstitial” flag in chrome://flags.
The Google Chrome 88 will be available in January 19th, 2021. It is expected that Goggle enable this feature again with this release.
