Browser Security Standards

Learn how eBay is meeting new security standards and how to update non-secure content in your listings.

Browser security standards

How browser security is changing

Google Chrome—the browser used by almost half of all eBay buyers—is making changes to its security standards and how it communicates web privacy to users. Starting in October 2017, Chrome users will see the message "Not secure" displayed in the browser's address bar when they visit HTTP pages, and HTTPS pages that include HTTP content. Other web browsers will likely follow suit and make similar changes in the future.

Non-compliant page before October 2017

https-secure

Non-compliant page after October 2017

https-not-secure

HTTP stands for Hypertext Transfer Protocol and is what governs data communication on the internet. HTTPS is the secure version of HTTP (the 'S' stands for 'Secure'), and it ensures data privacy and security by encrypting communications from all parties.

eBay is doing its part so that buyers don't see the new "Not secure" message when they visit the site and to protect data. In October 2017, eBay.com will begin using the HTTPS communications protocol for all listings, as we announced in our 2017 Summer Update. In the future, eBay will move all Store pages to HTTPS as well. eBay.ca listings will begin using the HTTPS protocol in early 2018.

There may be HTTP content in your listings and Stores even after eBay begins using the HTTPS protocol. You must update this HTTP content to HTTPS as soon as possible.

Below, see the most common kinds of content found in sellers' listings, Store templates, and elsewhere that may be using non-secure HTTP URLs.

Common HTTP Content

Expand all Collapse all
  • Externally hosted pictures
    • Photos in
      • Listing descriptions
        <img src="http://xyz.com/..." alt="Sample Text" height="42" width="42">
      • Product variants, in multi-variation listings
        <img src="http://xyz.com/..." alt="Sample Text" height="42" width="42">
      • The Trading API (and related APIs):
        <PictureURL> http://xyz.com/ </PictureURL>
      • The Inventory API:
        "imageUrls": [ "http://xyz.com/" ]
      • The Merchant Integration Platform (MIP)
        • Product feed
        • Combined feed
  • Cascading style sheets (CSS)
    • References to CSS resources:
      • <link rel="stylesheet" type="text/css" href="http://xyz.com/...">
    • References within CSS:
      • body { background-image: url("http://xyz.com/abc.gif"); }
      • .banner { background: url("http://xyz.com/banner.png");
      • ul { list-style: square url(http://xyz.com/block.png);}
  • HTML5 video
    <video width="10" height="10" controls>
    <source src="http://xyz.com/" type="video/mp4">
    </video>
  • HTML5 audio
    <audio controls>
    <source src="http://xyz.com/" type="audio/mpeg">
    </audio>


See the Technical details section for less commonly used tags with non-secure URLs.

How eBay is protecting your security

We believe that buyers who see a "Not secure" message are less likely to buy your products. eBay.com will begin using the HTTPS protocol for listings in October 2017, but if sellers have used non-secure HTTP content in their listings, Google Chrome will still consider the page to be non-secure.

To ensure that your buyers see the "Secure" message when Chrome makes its October update, eBay is making a change to how desktop users view such content in item descriptions.

Starting in October 2017 for eBay.com and early 2018 for eBay.ca, listings with HTTP content will feature key snippets of the item description, and a button reading "See full item description", putting the complete description just one click away, as shown below. This experience is similar to how buyers already view listings on mobile, and the mobile experience will not change. Item descriptions that are HTTPS-compliant will continue to display the full description as usual.

item description

The code below will allow you to choose the first 800 characters of text from your item description.

Note: The use of "http" in http://schema.org will not trigger a non-secure warning from browsers. This is because schema.org is a recognized vocabulary format that most browsers and search engines understand. Unlike resource references, a vocabulary reference simply conveys to the browser that the format being used is similar to the one at http://schema.org.

How to secure your listings

Fortunately, many eBay listings are already HTTPS-compliant, and HTTPS-compliant listings will continue to be shown as they are today.

Only listings containing non-secure HTTP content will require buyers to click an additional button to see the full item description.

eBay is providing sellers with a tool to check your listings' security. Updating listings to comply with these new security standards will mean that your buyers will be able to see your full item description, just as they do today.

Making your listings HTTPS-compliant
To remove HTTP content and make sure buyers can see your full item description in the listing page, follow these steps:

  1. Use this tool to identify your eBay listings that contain non-secure HTTP content. eBay has partnered with i-ways to implement an eBay token (sign-in) to protect your full inventory of listings from being seen by others. You can view a single item without your password, but to get a full download of all your items, you will be required to sign in with your eBay login.
  2. If the tool flags non-secure content, determine if the third-party websites you use to host content, commonly called domains, are compliant with the stronger browser security standards (HTTPS).
    You may be able to find this information on the host domain's website, or by contacting the domain.
    eBay is also working with domains to ensure that as many as possible are prepared for the October updates to strengthen browser security.
  3. When you've confirmed that your host domains support HTTPS, find all uses of "HTTP" in your listings, and replace them with "HTTPS". eBay's bulk editing functionality can help you make this change to up to 200 listings at a time.
  4. If a host domain is not compliant with the stronger security standards, but you still want your full item description to be displayed, remove content hosted on that domain from your listing. Once they are HTTPS compliant, you can reinstate the content into your listings.

If you use a third-party selling solution, contact your provider for assistance in identifying and updating non-secure content, and making your listings HTTPS-compliant. If you need additional help, consider using one of the solutions listed below, or one of the solutions here.

For help in identifying and updating non-secure content, consider these solutions from third-party developers:

Service Provider Listing limit Plans
Auctiva

< 100,000

- Free trial
- Monthly subscription

ChannelAdvisor

Up to millions

- Contact for more details

CrazyLister

< 100,000

- Free trial
- Monthly subscription

DemandStream, by CommerceHub

< 100,000

- Contact for more details

Frooition

Up to millions

- Free trial
- One-time fee
- Monthly subscription

GarageSale by iwascoding

< 100,000

- Free trial
- One-time fee

Sellbrite

< 100,000

- Free trial
- Monthly subscription

Seller Sourcebook

Up to millions

- Monthly subscription

ShipScript

< 100,000

- Free or donation

SixBit

< 100,000

- Free trial
- Monthly subscription

Vendio

< 1,000,000

- Free trial
- Monthly subscription

Timeline

US Sites

As of October 2017—eBay will convert all listing pages to secure HTTPS:

  • Listings with HTTP content will feature the "See full item description" button, as shown above.
  • HTTPS-compliant listings will be unchanged.

Canada and International Sites

As of October 2017—eBay will convert listings pages as follows:

  • Listings with HTTP content will be served as a standard HTTP page, and the description will be unchanged, but will show a (i) in the URL and may be marked as "Not secure" by browsers like Chrome, as shown above.
  • HTTPS-compliant listings will be unchanged.

As of February 2018—Canada and International Sites will follow the same policy as the US site:

  • Listings with HTTP content will feature the "See full item description" button.
  • HTTPS-compliant listings will be unchanged.

The technical details

Mixed content occurs when non-secure HTTP content is loaded on an HTTPS page. Mixed content will trigger Google Chrome's "Not secure" messaging.

Anchor tags (<a href=url>) are not treated as mixed content. Standard HTTP URLs in anchor tags are still supported. Note that anchor tags must still comply with eBay's links policy.

To comply with the industry's mixed content policy, the following tags must use HTTPS URLs when viewed on a secure HTTPS page:

HTTPS Required Tags

Expand all Collapse all
  • Images

    <img src="https://xyz.com/" alt="Sample Text" height="42" width="42">
  • Style sheets
    • References to CSS resources: <link rel="stylesheet" type="text/css" href="https://xyz.com/...">
    • References within CSS:
      body { background-image: url("https://xyz.com/abc.gif"); }
      .banner { background: url("https://xyz.com/banner.png");
      ul { list-style: square url(https://xyz.com/block.png);}
  • Videos
    <video width="10" height="10" controls>
    <source src="https://xyz.com/" type="video/mp4">
    </video>
  • Audio
    <audio controls>
    <source src="https://xyz.com/" type="audio/mpeg">
    </audio>
  • APIs & Feeds
    • Trading API, for single SKU and multiple variations & feeds:
      <PictureURL> https://xyz.com/ </PictureURL>
      • Inventory API: "imageUrls": [ "https://xyz.com/" ]
      • MIP: In the Product and Combined feed
  • Active Content

    eBay no longer supports active content in listing descriptions.

    However, if any of the following tags are still present in listings and don't use secure HTTPS URLs, they may cause issues for Chrome users.

    <script> (src attribute)
    <iframe> (src attribute)
    <form> (action attribute)
    <embed> (src attribute)
    XMLHTTPRequests loading insecure resources:
    request.open("GET", "http://xyz.com/", true); request.send();
  • More HTML elements

    HTML 4 Tags

    <applet codebase=url>
    <area href=url>
    <base href=url>
    <blockquote cite=url>
    <body background=url>
    <del cite=url>
    <form action=url>
    <frame longdesc=url> ,<frame src=url>
    <head profile=url>
    <iframe longdesc=url> , <iframe src=url>
    <img longdesc=url> , <img src=url> , <img usemap=url>
    <input src=url> and <input usemap=url>
    <ins cite=url>
    <link href=url>
    <object classid=url>, <object codebase=url> , <object data=url> , <object usemap=url>
    <q cite=url>

    HTML 5 Tags

    <audio src=url>
    <button formaction=url>
    <command icon=url>
    <embed src=url>
    <html manifest=url>
    <input formaction=url>
    <source src=url>
    <video poster=url> , <video src=url>

    Complex URLs

    <img srcset="url1 resolution1 url2 resolution2">
    <source srcset="url1 resolution1 url2 resolution2">
    <object archive=url> , <object archive="url1 url2 url3">
    <applet archive=url> , <applet archive=url1,url2,url3>
    <meta http-equiv="refresh" content="seconds; url">
    <svg><image href="url"/></svg>


More information

Read the developer guides below to learn more about mixed content, our browse our FAQ.