Troubleshooting Mixed-Content Download Errors in Google Chrome for Salesforce Users

Google is rolling out gradual changes to the Google Chrome browser to block mixed-content rendering and mixed-content downloads. Starting in January 2021, Google  blocks HTTP file downloads of images, docs, and PDFs from HTTPS sites by default.

This article focuses on Salesforce core products. For the following products see:

• Marketing Cloud
• Pardot
• Salesforce CPQ

And for other clouds and products, see the How does this change affect other Clouds and products section below.

What’s affected?

This change may affect your end users’ ability to access non-HTTPS downloads or images started on secure pages within Salesforce.

• Images

A broken image appears for content such as an image or video that’s hosted on a nonsecure HTTP page when it’s viewed on a secure HTTPS page. 

• Downloads

An error results from links or attachments hosted on a nonsecure HTTP or FTP site when they’re clicked from a secure HTTPS web page.

What action can you take?

Review your custom content and ensure that it’s served through a secure HTTPS host. HTTPS uses encryption of data in-transit (TLS) to prevent attacks such as man-in-middle. The method of configuring HTTPS may change based on the service you are using. Please use the service-specific links above for additional guidance on configuring HTTPS. For more information, read the Google Chrome blog.
 

How does this change affect other Clouds and products?

Salesforce Technology assessed how this change affects its products across clouds and plans to update this article as more information is available.
 

Commerce Cloud 

Review your custom email templates for mixed content. Customer-controlled custom email templates are the only area affected by this change.
 

Industries Cloud

Vlocity 

Review custom-developed UI and Apex classes for potential mixed content issues. Custom-developed UI includes Visualforce pages, Aura components, and LWC or HTML/CSS/JS content served through a secure host. For custom Apex classes, check for URL variables set in code, in data, or received from external APIs that are embedded and rendered in UI. Any embedded insecure content served through an HTTP URL can be removed or replaced with a secure HTTPS host.
 

Experience Cloud (formerly Community Cloud) 

Audit your Visualforce pages, lightning components, and community configuration to ensure they don’t use mixed content. Ensure that any links that point to downloadable content created or configured in your components use HTTPS.

Salesforce CMS Content
For externally referenced media creation, use secure “https://” URLs to maintain full functionality of your content. External referencing media with insecure URLs no longer display their thumbnail images and previews natively.

Why is Google making this change?

Insecure downloads are a risk to user security and privacy. For instance, insecure downloads can be swapped out for malware by attackers. And eavesdroppers can read users' insecurely downloaded bank statements. To address these risks, Google plans to eventually remove support for insecure downloads in Chrome. Google announced that Chrome is to gradually ensure that secure (HTTPS) pages only download secure files. In a series of steps outlined in the timeline section, Chrome starts blocking mixed content downloads, that is non-HTTPS downloads started on secure pages. This move follows a plan Google announced last year to block all insecure subresources on secure pages. Initially Google is focusing on insecure downloads started on secure pages. These cases are of concern because Chrome now doesn’t advise users that their privacy and security are at risk.

How can I get more information?

Read the Google Chrome blog for detailed information from Google and their expected timeline.