Browser Security Standards
Learn how eBay is meeting new security standards and how to update non-secure content in your listings.
Browser security standards
How browser security is changing
Google Chrome—the browser used by almost half of all eBay buyers—is making changes to its security standards and how it communicates web privacy to users. Starting in October 2017, Chrome users will see the message "Not secure" displayed in the browser's address bar when they visit HTTP pages, and HTTPS pages that include HTTP content. Other web browsers will likely follow suit and make similar changes in the future.
Non-compliant page before October 2017
Non-compliant page after October 2017
HTTP stands for Hypertext Transfer Protocol and is what governs data communication on the internet. HTTPS is the secure version of HTTP (the 'S' stands for 'Secure'), and it ensures data privacy and security by encrypting communications from all parties.
eBay is doing its part so that buyers don't see the new "Not secure" message when they visit the site and to protect data. In October 2017, eBay.com will begin using the HTTPS communications protocol for all listings, as we announced in our 2017 Summer Update. In the future, eBay will move all Store pages to HTTPS as well. eBay.ca listings will begin using the HTTPS protocol in early 2018.
There may be HTTP content in your listings and Stores even after eBay begins using the HTTPS protocol. You must update this HTTP content to HTTPS as soon as possible.
Below, see the most common kinds of content found in sellers' listings, Store templates, and elsewhere that may be using non-secure HTTP URLs.
Common HTTP Content
- Externally hosted pictures
- Photos in
- Listing descriptions
<img src="http://xyz.com/..." alt="Sample Text" height="42" width="42"> - Product variants, in multi-variation listings
<img src="http://xyz.com/..." alt="Sample Text" height="42" width="42"> - The Trading API (and related APIs):
<PictureURL> http://xyz.com/ </PictureURL> - The Inventory API:
"imageUrls": [ "http://xyz.com/" ] - The Merchant Integration Platform (MIP)
- Product feed
- Combined feed
- Listing descriptions
- Photos in
- Cascading style sheets (CSS)
- References to CSS resources:
- <link rel="stylesheet" type="text/css" href="http://xyz.com/...">
- References within CSS:
- body { background-image: url("http://xyz.com/abc.gif"); }
- .banner { background: url("http://xyz.com/banner.png");
- ul { list-style: square url(http://xyz.com/block.png);}
- References to CSS resources:
- HTML5 video
<video width="10" height="10" controls>
<source src="http://xyz.com/" type="video/mp4">
</video> - HTML5 audio
<audio controls>
<source src="http://xyz.com/" type="audio/mpeg">
</audio>
See the Technical details section for less commonly used tags with non-secure URLs.
How eBay is protecting your security
We believe that buyers who see a "Not secure" message are less likely to buy your products. eBay.com will begin using the HTTPS protocol for listings in October 2017, but if sellers have used non-secure HTTP content in their listings, Google Chrome will still consider the page to be non-secure.
To ensure that your buyers see the "Secure" message when Chrome makes its October update, eBay is making a change to how desktop users view such content in item descriptions.
Starting in October 2017 for eBay.com and early 2018 for eBay.ca, listings with HTTP content will feature key snippets of the item description, and a button reading "See full item description", putting the complete description just one click away, as shown below. This experience is similar to how buyers already view listings on mobile, and the mobile experience will not change. Item descriptions that are HTTPS-compliant will continue to display the full description as usual.
The code below will allow you to choose the first 800 characters of text from your item description.
Note: The use of "http" in http://schema.org will not trigger a non-secure warning from browsers. This is because schema.org is a recognized vocabulary format that most browsers and search engines understand. Unlike resource references, a vocabulary reference simply conveys to the browser that the format being used is similar to the one at http://schema.org.
How to secure your listings
Fortunately, many eBay listings are already HTTPS-compliant, and HTTPS-compliant listings will continue to be shown as they are today.
Only listings containing non-secure HTTP content will require buyers to click an additional button to see the full item description.
eBay is providing sellers with a tool to check your listings' security. Updating listings to comply with these new security standards will mean that your buyers will be able to see your full item description, just as they do today.
Making your listings HTTPS-compliant
To remove HTTP content and make sure buyers can see your full item description in the listing page, follow these steps:
- Use this tool to identify your eBay listings that contain non-secure HTTP content. eBay has partnered with i-ways to implement an eBay token (sign-in) to protect your full inventory of listings from being seen by others. You can view a single item without your password, but to get a full download of all your items, you will be required to sign in with your eBay login.
- If the tool flags non-secure content, determine if the third-party websites you use to host content, commonly called domains, are compliant with the stronger browser security standards (HTTPS).
You may be able to find this information on the host domain's website, or by contacting the domain.
eBay is also working with domains to ensure that as many as possible are prepared for the October updates to strengthen browser security. - When you've confirmed that your host domains support HTTPS, find all uses of "HTTP" in your listings, and replace them with "HTTPS". eBay's bulk editing functionality can help you make this change to up to 200 listings at a time.
- If a host domain is not compliant with the stronger security standards, but you still want your full item description to be displayed, remove content hosted on that domain from your listing. Once they are HTTPS compliant, you can reinstate the content into your listings.
If you use a third-party selling solution, contact your provider for assistance in identifying and updating non-secure content, and making your listings HTTPS-compliant. If you need additional help, consider using one of the solutions listed below, or one of the solutions here.
For help in identifying and updating non-secure content, consider these solutions from third-party developers:
| Service Provider | Listing limit | Plans |
|---|---|---|
| Auctiva |
< 100,000 |
- Free trial |
| ChannelAdvisor |
Up to millions |
- Contact for more details |
| CrazyLister |
< 100,000 |
- Free trial |
| DemandStream, by CommerceHub |
< 100,000 |
- Contact for more details |
| Frooition |
Up to millions |
- Free trial |
| GarageSale by iwascoding |
< 100,000 |
- Free trial |
| Sellbrite |
< 100,000 |
- Free trial |
| Seller Sourcebook |
Up to millions |
- Monthly subscription |
| ShipScript |
< 100,000 |
- Free or donation |
| SixBit |
< 100,000 |
- Free trial |
| Vendio |
< 1,000,000 |
- Free trial |
Timeline
US Sites
As of October 2017—eBay will convert all listing pages to secure HTTPS:
- Listings with HTTP content will feature the "See full item description" button, as shown above.
- HTTPS-compliant listings will be unchanged.
Canada and International Sites
As of October 2017—eBay will convert listings pages as follows:
- Listings with HTTP content will be served as a standard HTTP page, and the description will be unchanged, but will show a (i) in the URL and may be marked as "Not secure" by browsers like Chrome, as shown above.
- HTTPS-compliant listings will be unchanged.
As of February 2018—Canada and International Sites will follow the same policy as the US site:
- Listings with HTTP content will feature the "See full item description" button.
- HTTPS-compliant listings will be unchanged.
The technical details
Mixed content occurs when non-secure HTTP content is loaded on an HTTPS page. Mixed content will trigger Google Chrome's "Not secure" messaging.
Anchor tags (<a href=url>) are not treated as mixed content. Standard HTTP URLs in anchor tags are still supported. Note that anchor tags must still comply with eBay's links policy.
To comply with the industry's mixed content policy, the following tags must use HTTPS URLs when viewed on a secure HTTPS page:
HTTPS Required Tags
- Images
<img src="https://xyz.com/" alt="Sample Text" height="42" width="42"> - Style sheets
- References to CSS resources: <link rel="stylesheet" type="text/css" href="https://xyz.com/...">
- References within CSS:
body { background-image: url("https://xyz.com/abc.gif"); }
.banner { background: url("https://xyz.com/banner.png");
ul { list-style: square url(https://xyz.com/block.png);}
- Videos
<video width="10" height="10" controls>
<source src="https://xyz.com/" type="video/mp4">
</video> - Audio
<audio controls>
<source src="https://xyz.com/" type="audio/mpeg">
</audio> - APIs & Feeds
- Trading API, for single SKU and multiple variations & feeds:
<PictureURL> https://xyz.com/ </PictureURL> - Inventory API: "imageUrls": [ "https://xyz.com/" ]
- MIP: In the Product and Combined feed
- Trading API, for single SKU and multiple variations & feeds:
- Active Content
eBay no longer supports active content in listing descriptions.
However, if any of the following tags are still present in listings and don't use secure HTTPS URLs, they may cause issues for Chrome users.
<script> (src attribute)
<iframe> (src attribute)
<form> (action attribute)
<embed> (src attribute)
XMLHTTPRequests loading insecure resources:
request.open("GET", "http://xyz.com/", true); request.send();
- More HTML elements
HTML 4 Tags
<applet codebase=url>
<area href=url>
<base href=url>
<blockquote cite=url>
<body background=url>
<del cite=url>
<form action=url>
<frame longdesc=url> ,<frame src=url>
<head profile=url>
<iframe longdesc=url> , <iframe src=url>
<img longdesc=url> , <img src=url> , <img usemap=url>
<input src=url> and <input usemap=url>
<ins cite=url>
<link href=url>
<object classid=url>, <object codebase=url> , <object data=url> , <object usemap=url>
<q cite=url>
HTML 5 Tags
<audio src=url>
<button formaction=url>
<command icon=url>
<embed src=url>
<html manifest=url>
<input formaction=url>
<source src=url>
<video poster=url> , <video src=url>
Complex URLs
<img srcset="url1 resolution1 url2 resolution2">
<source srcset="url1 resolution1 url2 resolution2">
<object archive=url> , <object archive="url1 url2 url3">
<applet archive=url> , <applet archive=url1,url2,url3>
<meta http-equiv="refresh" content="seconds; url">
<svg><image href="url"/></svg>
More information
Read the developer guides below to learn more about mixed content, our browse our FAQ.
- Google Web Fundamentals: What is Mixed Content?
- Google Web Fundamentals: Preventing Mixed Content
- Mozilla Developers Network: Web Security—Mixed Content
FAQs
- What's changing?
Starting in mid-October 2017, Google Chrome will begin displaying the message "Not secure" in the address window when users visit any page with HTTP content. To ensure buyers don't see this message when they visit your listings, eBay is changing how desktop users can view listings with noncompliant content. Starting in October 2017 for eBay.com and early 2018 for eBay.ca, listings with HTTP content will feature key snippets of the item description followed by a button to "See full item description", putting the complete item description just one click away. This experience is similar to how buyers already view listings on mobile.
- Will this change affect all eBay listings?
No. Many eBay listings are already secure and will be unchanged. Only listings with non-secure content will feature the button to "See full item description."
- What can I do to make sure my full item description displays on the main page and does not require the buyer to click a button to read the full description?
Make sure both your listing descriptions and gallery images do not contain any non-secure, HTTP content by following the steps we've provided. If your listings are HTTPS compliant, they won't be impacted by this change and your item descriptions will fully display on the main page.
- Where do I need to make these updates?
Update all active listings, scheduled listings, saved listing templates, description templates, and inventory you have not yet listed.
- Will any HTTP link in my listing or Store trigger the change to how buyers can view item descriptions?
Only HTTP URLs in tags pulling content onto your listing or store will trigger these changes. Such content could include images, videos, audio, CSS URLs, and other content as described above.
Links to external sites are governed by the eBay links policy, but will not trigger any change.
- Will eBay notify me of listings that contain HTTP content?
eBay does plan to notify sellers whose listings feature non-secure content, but you should start following steps to make your listings compliant now ahead of October's change.
- Will the mobile experience be changing?
No, there will be no change to the mobile experience.
- I use a third-party provider to design and manage my listings, and they assure me that their tools and features are compliant. Do my listings still need attention?
If you created Good 'Til Cancelled (GTC) listings or created your storefront before your provider updated their security protocol, your listings or eBay Store could still contain non-compliant content. Third-party providers list GTC listings the first time, and eBay automatically relists them, unchanged.
Contact your provider to learn how they can help you update older GTC listings, draft listings, listing templates, and storefronts.
- Is this the same as the requirement to remove active content?
No. Since June 2017, eBay does not allow active content such as JavaScript, Flash, plug-ins, and other similar programming methods in listings.
Externally hosted content such as photos and cascading style sheets (CSS) are deemed "passive" content and are still allowed in listings. They will not trigger the Google "Not secure" message or hidden description as long as they are delivered using the secure HTTPS transfer protocol.
- What will happen if I change my content to HTTPS, but my domain is not HTTPS compliant?
Your content will likely show up as a broken image or video. Contact your domain to make sure they are HTTPS compliant or remove HTTP content altogether.
- Will eBay block my listings if they contain HTTP content?
No, we do not plan to block listings with noncompliant content.
- Will only Google Chrome users see the new snippet item descriptions for listings with HTTP content?
Buyers will see the same item description snippet and "See full item description" button regardless of which browser they use.
There will be no changes to the mobile experience, which within the mobile experience already features key snippets of item descriptions regardless of mobile browser.
- Is there a way to edit the snippet that's displayed above the View Item description?
The same View Item description summary feature available within the mobile experience today will apply to the desktop experience. Learn more about adding the summary feature within your description.
- How long will it take to see the "See full item description" button to go away after I make my listings compliant?
The full item description should appear on your listing within a few hours of your listing becoming compliant.
- What's the difference between active content, the HTTPS requirement, and off-eBay links?
Active content was used by many sellers to provide interactivity, animation, or video via the use of JavaScript, Flash, plug-ins, or form actions in listings. Since June 2017, eBay no longer renders active content, and recommends alternatives.
HTTP is a communications protocol used to access pages on the internet. HTTPS (the 'S' stands for 'Secure') ensures that all of your communication over the network is encrypted and secure. Browsers like Chrome are mandating stronger HTTPS standards, and eBay is supporting this initiative. eBay pages are HTTPS, and we are requiring our sellers to link only to HTTPS pages beginning this October (for eBay.com listings) or early 2018 (for eBay.ca listings). Sellers who do not switch to the HTTPS protocol before the deadlines above will have their item description hidden behind a button so that buyers do not see the "Not secure" warning when they view the page.
To ensure that your item description and images display properly, ask your hosting provider or third-party partner to support HTTPS and update listing templates or descriptions accordingly. For optimized display on both desktop and mobile, we recommend that you upload your images to eBay.
Off-eBay links, email addresses, and phone numbers are not permitted on the item description page, in titles, or on other eBay pages. Even if you remove active content and comply with the HTTPS protocol, they are still not permitted. eBay may take a range of actions for sellers who violate our Offers to buy or sell outside of eBay policy.
- It looks like my listing is compliant, but my View Item description is still hidden. What else could it be?
Your listing should update without the button within a few hours of becoming compliant. If it's still hidden after that, make sure you review the gallery images you submit to eBay, as those images must also be HTTPS-compliant.
- What's the best way to edit my listings in bulk?
For now, use the bulk editing functionality, or the find and replace feature if you list on eBay.com. We are exploring options to make this easier for you in the future.
- I use multiple eBay selling accounts. Can I check all of them using the i-ways tool?
Yes, but if you want to check more than one item ID, you will need to register a new i-ways account for every eBay account you want to check. If you'd simply like to check item IDs from different accounts, you can do that easily with the item ID checker tool within i-ways without signing up for an i-ways account.
- Why am I seeing "See full item description" on my listings before February?
If you see the "See full item description" button before February 2018, you could be using a link from another listing or from outside of eBay that uses an HTTPS prefix and leads to one of your eBay item pages that contains non-secure content. This can be resolved by removing or updating the non-secure content in your listings.