Google will be introducing a security feature in its Chrome browser which will protect users sensitive data to be transferred over unprotected user forms. There are instances where “mixed forms” (forms on HTTPS sites that do not submit on HTTPS) are present on a website. This is a risk to users’ security and privacy. Users can verify a HTTPS connection by looking at the ‘closed lock’ symbol next to the address bar in the browser. If the information is submitted via an unsecured form, it can be visible to eavesdroppers, allowing malicious parties to read or change sensitive form data.
Chrome will now disable Autofill functionality on these mixed forms. Whenever a user starts filling data in fields, they will see below warning text alerting them that the form is not secure.
Even if a user proceeds with submitting the form, Chrome will provide a full page warning of the potential risk and confirming if they’d like to submit anyway.
However on mixed forms, Chrome password manager will continue to work. It is still the user’s responsibility to cross verify security before submitting their credentials.
Earlier Chrome used to inform users about the presence of mixed forms by removing the lock icon from the address bar. Team found that it did not effectively communicate the risks associated with submitting data in insecure forms.
Google is planning to introduce this feature with Chrome 86.