Chrome Blocking Mixed Content in Chatter and Experience Sites (Communities)

Google is protecting users from insecure downloads by blocking mixed-content downloads in Chrome. An example of mixed content is a link to an HTTP site that is placed on an HTTPS page. This change affects insecure images and links in Salesforce Chatter and Experience sites (communities). Google’s phased rollout plan begins with a browser warning and then advances to blocking mixed-content downloads. Google’s effort began in September 2020 and will continue through the next several Chrome releases. This article focuses on core impacts on Salesforce Chatter and Experience sites (communities).

For impacts to other Salesforce Clouds and products see:

Marketing Cloud - Chrome Blocking Mixed Content

Chrome Blocking Mixed Content for Pardot Pages

Image or Link is Broken when using Salesforce CPQ in Google Chrome

Chrome Blocking Mixed Content in Salesforce CMS and CMS Connect

What’s impacted?

This may affect your users’ ability to access non-HTTPS downloads or images made available in Salesforce Chatter or Experience sites (communities).

1. Images
If a user is viewing a Chatter post or a page in an Experience site (community) (HTTPS), and an image or video is hosted on a non-secure link (HTTP), then the image or video is displayed as a broken image.

2. Downloads
If a user is viewing a Chatter post or a page in an Experience site (community) (HTTPS), there’s a download link or attachment in the page, and the corresponding content is hosted on a non-secure site (HTTP or FTP only); then clicking the link results in an error. This change also impacts non-secure (HTTP) links in the HTML Editor and Rich Text Editor in a site.com studio or Experience Builder site.

What action can you take?

Review your custom content and ensure that it’s served through a secure HTTPS host. HTTPS uses encryption of data in-transit (TLS) to prevent attacks such as man-in-middle.

To configure HTTPS for the HTML Editor and Rich Text Editor in a site.com studio, open an Experience Workspace in Setup. Click Administration | Pages | Go to Site.com Studio. Open the Site Configuration Menu and enable these options: Require Secure Connections (HTTPS) and Upgrade all requests to HTTPS.

The method of configuring HTTPS may change based on the service you are using. Please use the service-specific links above for additional guidance on configuring HTTPS.

Can I use a workaround until I configure HTTPS?

We recommend configuring HTTPS on all pages. While you are configuring HTTPS, the following interim workarounds will help you to overcome mixed content-related errors.

Use an alternate browser that allows mixed content
Enable the Google Chrome mixed content flag

To enable the Google Chrome mixed content flag within Chrome, click the padlock icon in the URL bar → Click Site Settings → Find the Insecure Content dropdown. Then use the dropdown list to change Block (default) to Allow. Note that Google hasn’t announced how long this functionality remains available.

Note: We do not recommend this approach unless you have business-critical needs and strongly recommend configuring HTTPS as soon as possible.

How’s Salesforce addressing this change?

Salesforce Technology teams have assessed how this change affects it’s products across clouds. We’ll update the article, Google protecting users from insecure downloads in Google Chrome, as more information becomes available.

Why is Google making this change?

Insecure downloads are a risk to users’ security and privacy. For instance, attackers can swap out insecure downloads with malware, and eavesdroppers can read users' insecurely-downloaded content, like their bank statements. To address these risks, Google plans to remove support for insecure downloads in Chrome. Google announced that Chrome will gradually ensure that secure (HTTPS) pages download only secure files by blocking mixed-content downloads. Google announced a plan last year to start blocking all insecure subresources on secure pages. As a first step, Google is focusing on insecure downloads started on secure pages. These cases are especially concerning because Chrome currently gives no indication to the user that their privacy and security are at risk.

How can I get more information?

Read the Google Chrome blog for detailed information from Google and their expected timeline.