Salesforce advised users to skip Chrome browser updates

Salesforce is sending mixed messages about mixed content. 

In response to Google's Chrome browser blocking what's known as "mixed content," Salesforce recommended that users either skip the latest upgrades or roll back to earlier versions of the browser.

In a knowledge article posted to its website and sent to customers in a newsletter, Salesforce addressed the mixed content issue, which affects products like Salesforce CMS and CMS Connect. The article expands on Google's new security plan, a phased rollout for blocking insecure downloads through mixed content links, and offers six actions that customers can take to avoid broken images or failed downloads in Chrome. Two of those actions advised users to "choose not to upgrade at this time" or "rollback to a previous version of Google Chrome," which are unusual steps that contradict enterprise security best practices. 

On Monday, after the knowledge article was posted, application security engineer Ian Carroll questioned the advised actions in a Tweet.

"Salesforce is telling customers to keep Chrome out of date because of mixed content…this is terrible advice," Carroll wrote on Twitter.

salesforce is telling customers to keep chrome out of date because of mixed content... this is terrible advice pic.twitter.com/jz527G191X

— Ian Carroll (@iangcarroll) December 7, 2020

SearchSecurity contacted the vendor about the advice in the knowledge article and customer newsletter. Salesforce updated the knowledge article Tuesday, removing the entire list of actions and replacing it with a paragraph recommending users to review their custom content and ensure it's served through a secure HTTPS host.

"Salesforce understands that the confidentiality, integrity, and availability of customer data is vital to business continuity, and we take the protection of that data very seriously. Our Technology teams always assess how changes impact Salesforce, and we've updated this Knowledge Article with the latest on how customers can protect themselves from insecure downloads in Google Chrome," a Salesforce spokesperson said in an email to SearchSecurity, noting that the article had been updated.

New content was also added under the workaround portion of the article following the options of using an alternative browser or enabling the Google Chrome mixed content flag. "Note: We do not recommend this approach unless you have business-critical needs and strongly recommend configuring HTTPS as soon as possible."

While there were additional actions recommended by Salesforce, those two steps were unusual because cybersecurity experts have long urged organizations to update applications to minimize security risks and patch any known vulnerabilities.

In a blog post in October of last year, Google announced plans to block mixed content as part of its plan to increase security regarding HTTPS, though it was not enacted until September of this year. An example of mixed content, according to the knowledge article, is a link to a HTTP site that is placed on a HTTPS page.

"HTTPS pages commonly suffer from a problem called mixed content, where subresources on the page are loaded insecurely over http://. Browsers block many types of mixed content by default, like scripts and iframes, but images, audio, and video are still allowed to load, which threatens users' privacy and security," Chrome security team members Emily Stark and Carlos Joan Rafael Ibarra Lopez wrote in the blog.

Chrome's blocking of mixed content affects other Salesforce products, including Marketing Cloud. In another knowledge article for Marketing Cloud, Salesforce states that customers can use an alternate browser that allows mixed content, but also notes "most other browsers will eventually follow this standard" in the future.