Next Chrome Update Will Block Non-HTTPS Images in Email
The next version of Chrome (Chrome 81) will cause non-HTTPS images in email to not display in certain Webmail clients. This update will come out on April 7.
Google announced a Chrome update last October that largely went unnoticed in the email industry. The announcement was that Chrome 81 would no longer be allowing mixed content (HTTPS and HTTP) when a website is loaded via HTTPS.
What’s the difference between HTTPS and HTTP?
Hypertext Transfer Protocol, or HTTP, facilitates communication between web servers and your internet browser, allowing you to load and view web pages. HTTPS is just a secure form of HTTP. By adding a Secure Sockets Layer (SSL) certificate, information that was previously vulnerable to theft during the communication process is now encrypted.
In the past even though a website might be loaded via HTTPS, browsers still allowed content such as images to be loaded via HTTP in what is called “mixed content” mode.
This “mixed content” poses a security threat that Google seeks to abolish through this planned update.
There’s good news and bad news.
The Good News
HTTP Image Checker Tool
The first bit of good news is we have a HTTP Image Checker tool to help you diagnose if any of your images are loaded through HTTP. It will also help check if HTTPS alternatives are available.
Gmail and Yahoo! Mail fixes your HTTP images for you
The second bit of good news is that Gmail, Yahoo! Mail, and to an extent Outlook.com proxy or route your images through their own secure servers, and by doing so rewrite the URLs of HTTP images to HTTPS, bypassing the problem. Therefore, even if you host your emails on a non-HTTPS server, they’ll still load with Gmail and Yahoo! Mail.
Webmail | Will HTTP Images Load? | |
Gmail | Yes | HTTP images proxied |
Yahoo! Mail | Yes | HTTP images proxied |
Outlook.com/Office365 | Partial | Background images not proxied and will not display |
Xfinity (Comcast.net) | No | All HTTP images will not display |
Other Webmail | ? |
Chrome will attempt to load HTTPS versions of HTTP images
A final piece of good news is that Chrome will automatically attempt to load HTTP images through HTTPS in an attempt to fix the issue. Many servers are already configured for SSL, so emails containing HTTP images will still display properly since they can also be loaded via HTTPS – as long as the SSL certificates are configured properly.
The Bad News
Outlook.com does not proxy CSS background images
Although Outlook.com (and Office365) proxies your images through a secure server, CSS background images are not proxied, and if you have images that are not HTTP, these will no longer show up in Outlook.com.
Other smaller Webmail providers such as Xfinity’s Comcast.net may not proxy images at all. In this case, Chrome will block all your images if they are loaded through HTTP.
Many HTTPS servers do not have valid certificates
Another piece of bad news is that even though Chrome will automatically attempt to load your images through HTTPS and many servers are already configured for HTTPS, often these servers do not contain valid SSL certificates that allow them to properly serve images through HTTPS.
In some cases the domain in the certificates do not match the domain serving the image. Often the domain in the certificate is of the hosting provider and not the client.
In other cases the certificate may have expired. In these cases, Chrome 81 will refuse to display the image.
Resolution
The first step is to figure out if any of your emails are loading images through HTTP. You can use our HTTP Image Checker tool to ascertain that.
If all your images are already loaded through HTTPS, congratulations, you have nothing to worry about!
If some of your images are loaded through HTTP, ask your IT administrator if the same images can be loaded through HTTPS and that your SSL certificates are configured correctly. If so, modify the URL of your images to be loaded over HTTPS.
In some cases, you may be unable to change the image URLs. For example, some images provided by third parties for services such as analytics pixels and realtime imagery may be delivered via HTTP. In these cases, check with the image provider to see if their servers are properly configured for SSL. Since Chrome will attempt to load images through HTTPS anyway, if the servers support HTTPS, then this might not break your images.