Stronger Browser Security Standards

Learn how eBay is meeting new security standards and how to update non-secure content in your listings.

2017 Fall Seller Update    See What’s New

How browser security is changing

Google Chrome-the browser used by almost half of all eBay buyers-is making changes to its security standards and how it communicates web privacy to users.

Starting in October 2017, Chrome users will see the message "Not secure" in the browser's address tab when they visit HTTP pages and HTTPS pages that include HTTP content. Other web browsers will likely follow suit and make similar changes in the future.

Non-compliant page before

https-secure

Non-compliant page after

https-not-secure

HTTP stands for Hypertext Transfer Protocol and is what governs data communication on the internet. HTTPS is the secure version of HTTP (the "S" stands for "Secure"), and it ensures data privacy and security by encrypting communications from all parties.

eBay is doing its part so buyers do not see the new "Not secure" message when they visit the site and to protect data. In October 2017, eBay will begin using the HTTPS communications protocol for all listings, as we announced in our 2017 Summer Update. In the future, eBay will move all store pages to HTTPS as well.

There may be non-secure HTTP content in your listings and stores even after eBay begins using the HTTPS protocol. You must update this HTTP content to HTTPS as soon as possible.

Below, see the most common kinds of content found in sellers' listings, store templates, and elsewhere that may be using non-secure HTTP URLs.

Common HTTP Content

Expand all Collapse all
  • Externally hosted pictures
    • Photos in
      • Listing descriptions
        <img src="http://xyz.com/..." alt="Sample Text" height="42" width="42">
      • Product variants, in multi-variation listings
        <img src="http://xyz.com/..." alt="Sample Text" height="42" width="42">
      • The Trading API (and related APIs):
        <PictureURL> http://xyz.com/ </PictureURL>
      • The Inventory API:
        "imageUrls": [ "http://xyz.com/" ]
      • The Merchant Integration Platform (MIP)
        • Product feed
        • Combined feed
  • Cascading style sheets (CSS)
    • References to CSS resources:
      • <link rel="stylesheet" type="text/css" href="http://xyz.com/...">
    • References within CSS:
      • body { background-image: url("http://xyz.com/abc.gif"); }
      • .banner { background: url("http://xyz.com/banner.png");
      • ul { list-style: square url(http://xyz.com/block.png);}
  • HTML5 video
    <video width="10" height="10" controls>
    <source src="http://xyz.com/" type="video/mp4">
    </video>
  • HTML5 audio
    <audio controls>
    <source src="http://xyz.com/" type="audio/mpeg">
    </audio>

See the "Technical Details" section for less commonly-used tags with non-secure URLs.



How eBay is protecting your security

We believe that buyers who see a "Not secure" message are less likely to buy your products. eBay will begin using the HTTPS protocol for listings in October 2017, but if sellers have used non-secure, HTTP content in their listings, Google Chrome still considers the page to be not secure.

To ensure that your buyers see the "secure" message when Chrome makes its October update, eBay is making a change to how desktop users view such content in item descriptions.

eBay listings with HTTP content will feature key snippets of the item description and a button reading "See full item description," putting the complete description just one click away, as shown below. This experience is similar to how buyers already view all listings on mobile, and the mobile experience will not change. Item descriptions that are HTTPS-compliant will continue to display the full description as normal.

item-description

How to secure your listings

Fortunately, the majority of eBay listings are already HTTPS compliant, and HTTPS-compliant listings will continue to be shown as they are today.

Only listings containing non-secure HTTP content will require buyers to click an additional button to see the full item description.

eBay is providing sellers with a tool to check your listings' security. Updating listings to comply with these new security standards will mean your buyers will be able to see your full item description just as they do today.

Making your listings HTTPS compliant

To update HTTP content and make sure buyers can see your full item description in the listing page, follow these steps.

  1. Use this tool to identify your eBay listings that contain non-secure, HTTP content. eBay has partnered with i-ways and have implemented an eBay token (sign-in) to protect your full inventory of listing compliance being available to anyone publicly. You can view a single item without your password but to get a full download of all your items, you will be required to sign in with your eBay sign-in.

  2. If the tool flags non-secure content, determine if the third-party websites you use to host content, commonly called domains, are compliant with the stronger browser security standards (HTTPS).

    You may be able to find this information on the host domain's website or by contacting the domain.

    eBay is also working with domains to ensure that as many as possible are prepared for the October updates to strengthen browser security.

  3. When you've confirmed that your host domains support HTTPS, find all uses of "HTTP" in your listings and replace them with "HTTPS".

    eBay's bulk edit tool can help you make this change 200 listings at a time. In Seller Hub, go to the "Listings" tab, select noncompliant listings, click Edit, then Edit fields, and select Item description. In the Item description field, click the drop down to select Edit listings in bulk - find and replace.

  4. replace-https

  5. If a host domain is not compliant with the stronger browser security standards, and you wish for the full item description to be displayed, remove content hosted on that domain from your listing. Once they are HTTPS compliant you can reinstate the content into your listings.

    If you use a third-party selling solution, contact your provider for assistance in identifying and updating non-secure content, and making your listings HTTPS compliant. If you need additional help, consider using one of the popular solutions listed below, or one of the solutions here.

    For help in identifying and updating non-secure content, consider these solutions from third-party developers.

  6. Service Provider Listing limit Plans
    Auctiva

    <100,000

    - Free trial.
    - Monthly subscription: $3.95 - $19.95.

    ChannelAdvisor

    up to millions

    - Contact for more details.

    CrazyLister

    <100,000

    - Free trial.
    - Monthly subscriptions from $7 and up. Contact for more details.

    DemandStream, by CommerceHub

    <100,000

    - Contact for more details.
    - Live support available for a subscription plan, or for an hourly rate.

    Frooition

    up to millions

    - Free trial.
    - One-time fee.
    - Monthly subscription. Contact for more details.

    GarageSale by iwascoding

    <100,000

    - Free trial.
    - One-time fee.

    Sellbrite

    <100,000

    - Free trial.
    - Monthly subscription starting at $220.

    Seller Sourcebook

    up to millions

    - Monthly subscription: Mobile and web based available.

    ShipScript

    <100,000

    - Free or donation, no commitment.

    SixBit

    <100,000

    - Free trial.
    - Monthly subscription; Small business - $34.99/month. Enterprise $69.99/month.

    Vendio

    <1,000,000

    - Free trial.
    - Monthly subscription starting at $29.95.

Timeline

US Sites

As of October 2017 - eBay will convert all listing pages to secure HTTPS.

  • Listings with HTTP content will feature the "See full item description" button, as shown above.
  • HTTPS-compliant listings will be unchanged.

International Sites

As of October 2017 - eBay will convert listing pages as follows:

  • Listings with HTTP content will be served as a standard HTTP page, and the description will be unchanged, but will show a (i) in the URL and may be marked as "Not secure" by browsers like Chrome, as shown at the top of this page.
  • HTTPS-compliant listings will be unchanged.

As of February 2018 - International sites will follow the same policy as the US site.

  • Listings with HTTP content will feature the "See full item description" button.
  • HTTPS-compliant listings will be unchanged.

Technical Details

Mixed content occurs when non-secure, HTTP content is loaded on an HTTPS page. Mixed content will trigger Google Chrome's "Not secure" messaging.

Anchor tags (<a href=url>) are not treated as mixed content. Standard HTTP URLs in anchor tags are still supported. Note that anchor tags must still comply with the eBay Links Policy.

To comply with the industry's mixed-content policy, the following tags must use HTTPS URLs when viewed on a secure HTTPS page:

HTTPS Required Tags

Expand all Collapse all
  • Images

    <img src="https://xyz.com/" alt="Sample Text" height="42" width="42">
  • Style sheets
    • References to CSS resources: <link rel="stylesheet" type="text/css" href="https://xyz.com/...">
    • References within CSS:
      body { background-image: url("https://xyz.com/abc.gif"); }
      .banner { background: url("https://xyz.com/banner.png");
      ul { list-style: square url(https://xyz.com/block.png);}
  • Videos
    <video width="10" height="10" controls>
    <source src="https://xyz.com/" type="video/mp4">
    </video>
  • Audio
    <audio controls>
    <source src="https://xyz.com/" type="audio/mpeg">
    </audio>
  • APIs & Feeds
    • Trading API, for single SKU and multiple variations & feeds:
      <PictureURL> https://xyz.com/ </PictureURL>
      • Inventory API: "imageUrls": [ "https://xyz.com/" ]
      • MIP: In the Product and Combined feed
  • Active Content

    eBay no longer supports active content in listing descriptions.

    However, if any of the following tags are still present in listings and don't use secure HTTPS URLs, they may cause issues for Chrome users.

    <script> (src attribute)
    <iframe> (src attribute)
    <form> (action attribute)
    <embed> (src attribute)
    XMLHTTPRequests loading insecure resources:
    request.open("GET", "http://xyz.com/", true); request.send();
  • More HTML elements

    HTML 4 Tags

    <applet codebase=url>
    <area href=url>
    <base href=url>
    <blockquote cite=url>
    <body background=url>
    <del cite=url>
    <form action=url>
    <frame longdesc=url> ,<frame src=url>
    <head profile=url>
    <iframe longdesc=url> , <iframe src=url>
    <img longdesc=url> , <img src=url> , <img usemap=url>
    <input src=url> and <input usemap=url>
    <ins cite=url>
    <link href=url>
    <object classid=url>, <object codebase=url> , <object data=url> , <object usemap=url>
    <q cite=url>

    HTML 5 Tags

    <audio src=url>
    <button formaction=url>
    <command icon=url>
    <embed src=url>
    <html manifest=url>
    <input formaction=url>
    <source src=url>
    <video poster=url> , <video src=url>

    Complex URLs

    <img srcset="url1 resolution1 url2 resolution2">
    <source srcset="url1 resolution1 url2 resolution2">
    <object archive=url> , <object archive="url1 url2 url3">
    <applet archive=url> , <applet archive=url1,url2,url3>
    <meta http-equiv="refresh" content="seconds; url">
    <svg><image href="url"/></svg>