There is nothing more annoying than trying to browse the Web and having a popup appear every time you navigate to a new webpage. This usually happens with ads, and sometimes with plugins or extensions like LastPass when there is an option to log in to the website. However, recently I began to experience a persistent yellow bar popping down from the top of Chrome when I visited almost any webpage — including Chrome. It warned me that “This page has insecure content” and that I needed to approve the page for viewing to continue. This was especially annoying as the popup was slightly delayed and it pushed the entire page’s content down, often making me misclick to an unintended target link — itself a security risk!
Google explains that when a website is secured via HTTPS, the website developers must also ensure that all of the scripts used by the page will be delivered in the same secure manner as the main page itself. Google explains that when this isn’t the case, visitors run the risk that attackers can interfere with the website. Previously, browsers ran this script but notified you after the fact. Now, Chrome will warn users that this is happening with this yellow warning box and then cautions that “This page has insecure content.” Users must “Allow anyway” to see the website despite the script on the page. So why does this warning sometimes appear on every page you visit — including pages such as Gmail?
The problem for those experiencing this constant warning from Google actually lies within your active extensions in Chrome, which appear on every page you visit while using Chrome. If the script in the extension is not delivered the same way as the page, as mentioned above, it will trigger Chrome to sense that every page viewed has insecure content — but if you’re like me and have dozens of extensions, how do you know which one has gone rogue and now creates what Chrome perceives as insecure content? In his blog, Warren Ellis details how he found a way to easily target the problematic extension by way of a Google support forum.
Right-click anywhere on your Gmail page and click Inspect Element.
A debug window will take over the bottom half of your browser. Click Console at the bar at the top of this window.
Search for the words insecure content in the console (search bar at the top-right of the console). This line will reveal where the insecure content is coming from.
Disable the plug-in that is creating this message.
An easy solution is to uninstall any extension you no longer need, and then install the Disable All Extensions Plus extension from the Chrome Store. Ironic, yes, I know, but the extension will allow you to click one button in your browser to automatically disable all extensions. You can then turn each one back on and open a new tab in Chrome and visit a webpage, such as Gmail, to see if the popup returns. Repeat this process until you see the yellow bar warning that “This page has insecure content.” Disabling this extension will then allow you to return to pop-up and warning free Chrome browsing.
Keep in mind that these type of insecure Chrome extensions are not the same type of insecure extensions as discovered by Nicholas Carlini, Adrienne Porter Felt, and Prateek Saxena in September 2011. This group reviewed 100 Chrome extensions and found that 27 of the 100 extensions leak all of their privileges to a Web or Wi-Fi attacker. The extensions that generate an “insecure content” warning in Chrome are unrelated to this report and produce very different types of vulnerabilities — if any at all.
Have you been experiencing more warnings lately related to “insecure content” from Chrome than usual? What extensions have you found that are problematic? Let us know your thoughts and solutions in the comments.