Loading

Image or Link is Broken when using Salesforce CPQ in Google Chrome

Publiceringsdatum: Apr 30, 2026
Beskrivning
Google has begun blocking mixed content downloads in Google Chrome to protect users from insecure downloads (Announcement Link). Google’s effort began in September 2020 and will be continued through Chrome 86.
To review additional details on this announcement, please refer to this Google Chrome blog

Insecure downloads are a risk to users’ security and privacy. For instance, insecure downloads can be swapped out for malware by attackers, and eavesdroppers can read users' insecurely-downloaded bank statements. To address these risks, Google removed support for insecure downloads in Chrome. Google Chrome will ensure that secure (HTTPS) pages only download secure files.  To review additional details on this announcement, please refer to this Google Chrome blog. To provide additional context on how other browsers have handled this situation, Firefox has blocked mixed active content by default for several years.
 

Impacted Areas:

  1. Rich Text
  2. URL
  3. Formula


Scenarios that return a broken link in the Quote Line Editor:

  1. Unsecured image tags (HTTP) referenced in rich text fields will appear as a broken image link.
  2. Formula fields that return an image tag from an unsecure (HTTP) reference.
  3. In version 84, Chrome provides the option to "save link as" when an unsecured URL is rendered. In Chrome version 85 and beyond, this action will be blocked.
  4. Custom actions that direct users to a popup are auto-upgraded to HTTPS (secured reference), but will be blocked if the secured resource is not available. However, the custom action redirect will succeed if the target is set to "replace page", as this will open a new tab.
Lösning

In newer versions of Google Chrome, all unsecured (HTTP) external resources will need to be transitioned to a secured (HTTPS) resource reference. Although the scenarios above highlight unexpected behaviors in the Quote Line Editor, this change in Chrome security can impact all areas where unsecured resources are referenced.

What action can you take?

Review your custom content and ensure that it’s served through a secure HTTPS host. HTTPS uses encryption of data in-transit (TLS) to prevent attacks such as man-in-middle. The method of configuring HTTPS may change based on the service you are using. Please use the service-specific links above for additional guidance on configuring HTTPS.
 

Can I use a workaround until I configure HTTPS?

We recommend configuring HTTPS on all pages. While you are configuring HTTPS, the following interim workarounds will help you to overcome mixed content-related errors.
 

  • Use an alternate browser that allows mixed content 
  • Enable the Google Chrome mixed content flag

To enable the Google Chrome mixed content flag within Chrome, click the padlock icon in the URL bar → Click Site Settings → Find the Insecure Content dropdown. Then use the dropdown list to change Block (default) to Allow. Note that Google hasn’t announced how long this functionality remains available.
 

Note: We do not recommend this approach unless you have business-critical needs and strongly recommend configuring HTTPS as soon as possible.

 

FAQ:

Q: What is mixed content?
A: Web pages are rendered by browsers based on two protocols – HTTP and HTTPS. A website that follows the HTTPS protocol is far safer than one that uses HTTP. HTTPS-enabled sites are encrypted, thus ensuring authentication, data integrity, secrecy. However, there are websites that load both HTTPS and HTTP content on the same page and this is called Mixed Content. Most sites that face mixed content issues have external resources such as images, videos, style sheets, scripts loaded via the HTTP domain. Even though the initial request is sent as HTTPS, once the mixed content is rendered in the Google Chrome browser, it shows the site as insecure as there are chances that the HTTP resources may harm the users.

Q: What is the timeline for the change?
A: The planned Google Chrome rollout begins with a browser warning and then advances to blocking mixed content downloads.  Here is the Google Chrome rollout schedule for your reference.

 

Type of contentFile examplesBrowser warningBlocking
Executablesexe, apkChrome 84 (Aug)Chrome 85 (Sep)
Archiveszip, isoChrome 85 (Sep)Chrome 86 (Oct)
Documentspdf, docxChrome 86 (Oct)Chrome 87 (Nov)
Multimediapng, mp3Chrome 87 (Nov)Chrome 89 (Jan '21)



Q: What is impacted?
A:

1. Broken images
If a user is viewing a secure webpage (HTTPS), and if any of the content displayed as part of the webpage is hosted on a non-secure link (HTTP), then the content (for example, image or video) will be displayed as a broken image.
2. Failed downloads
If a user is viewing a secure webpage (HTTPS), if there is a download link or attachment in the webpage, and if the corresponding content is hosted on a non-secure site (HTTP or FTP only), then clicking on the link will result in error.


Q: What is NOT impacted?
A:

1. HTTP only sites/URLs
The impact seems to be specific to a non-secure content display in a secure page, in other words, say if there a HTTP only page which is displaying a HTTP only content then it may not fail.
2. HTTP page loading
Most importantly, the change does not block loading a site on HTTP only or rendering an email in an email client with no TLS. So the pages on HTTP only (no HTTPS) will still continue to work.
Ytterligare resurser
SEE ALSO
Knowledge-artikelnummer

000390796

 
Laddar
Salesforce Help | Article