2018 Fall Seller Update    See What’s New

How browser security is changing

Google Chrome-the browser used by almost half of all eBay buyers-is making changes to its security standards and how it communicates web privacy to users.

As of October 17, 2017, the message "Not secure" appears in the address tab of Google Chrome when users visit non-secure HTTP pages and HTTPS pages that include non-secure HTTP content. Other web browsers are expected to follow suit and make similar changes in the future. As of July 2018, Google is increasing the standard even more. Chrome users will see the message "Not secure" in their address bar, even on listing descriptions that are one click away. To ensure that your buyers feel secure, we'll require that all new listings contain only secure HTTPS content after September 15, 2018.

Non-compliant page before

https-secure

Non-compliant page after

https-not-secure

HTTP stands for Hypertext Transfer Protocol and is what governs data communication on the internet. HTTPS is the secure version of HTTP (the "S" stands for "Secure"), and it ensures data privacy and security by encrypting communications from all parties.

eBay is doing its part so buyers do not see the new "Not secure" message when they visit the site and to protect data. As of October 16, 2017, eBay began using the HTTPS communications protocol for all listings. eBay Store pages have been moved to HTTPS as well. We strongly encourage you to change any HTTP content in your listings to HTTPS now.

Below, see the most common kinds of content found in sellers' listings, store templates, and elsewhere that may be using non-secure HTTP URLs.

Common HTTP Content

Expand all Collapse all
  • Externally hosted pictures
    • Photos in
      • Listing descriptions
        <img src="http://xyz.com/..." alt="Sample Text" height="42" width="42">
      • Product variants, in multi-variation listings
        <img src="http://xyz.com/..." alt="Sample Text" height="42" width="42">
      • The Trading API (and related APIs):
        <PictureURL> http://xyz.com/ </PictureURL>
      • The Inventory API:
        "imageUrls": [ "http://xyz.com/" ]
      • The Merchant Integration Platform (MIP)
        • Product feed
        • Combined feed
  • Cascading style sheets (CSS)
    • References to CSS resources:
      • <link rel="stylesheet" type="text/css" href="http://xyz.com/...">
    • References within CSS:
      • body { background-image: url("http://xyz.com/abc.gif"); }
      • .banner { background: url("http://xyz.com/banner.png");
      • ul { list-style: square url(http://xyz.com/block.png);}
  • HTML5 video
    <video width="10" height="10" controls>
    <source src="http://xyz.com/" type="video/mp4">
    </video>
  • HTML5 audio
    <audio controls>
    <source src="http://xyz.com/" type="audio/mpeg">
    </audio>

See the "Technical details" section for less commonly-used tags with non-secure URLs.



How to secure your listings

Fortunately, the majority of eBay listings are already HTTPS compliant, and HTTPS-compliant listings will continue to be shown as they are today.

New listings with non-secure HTTP content will be blocked after September 15, 2018. Existing listings with HTTP content will not be blocked in 2018, but we will introduce stronger enforcement measures next year.

eBay is providing sellers with a tool to check your listings' security. Updating listings to comply with these new security standards will mean your buyers will be able to see your full item description just as they do today.

Making your listings HTTPS compliant

To update HTTP content and make sure buyers can see your full item description in the listing page, follow these steps.

  1. Use these eBay resources to identify your eBay listings that contain non-secure HTTP content.
    1. View listings that have non-secure HTTP content on the "Non-secure content issues" page or the Listings tab in Seller Hub
    2. A warning message will appear when listing an item that has non-secure HTTP content: "We found non-secure (HTTP) content in your listing. Browsers display a "Not secure" message on pages that contain HTTP resources. For a secure buyer experience, you must update your content. See details Learn more"
  2. If the identification resources flag non-secure content, determine if the third-party websites you use to host content, commonly called domains, are compliant with the browser security standards (HTTPS).

    You may be able to find this information on the host domain's website or by contacting the domain.

  3. When you've confirmed that your host domains support HTTPS, find all uses of "HTTP" in your listings and replace them with "HTTPS".

    eBay's bulk edit tool can help you make this change 200 listings at a time. In Seller Hub, go to the "Listings" tab, select noncompliant listings, click Edit, then Edit fields, and select Item description. In the Item description field, click the drop down to select Edit listings in bulk - find and replace.

  4. replace-https

  5. If a host domain is not compliant with the browser security standards, and you wish for the full item description to be displayed, remove content hosted on that domain from your listing. Once they are HTTPS compliant you can reinstate the content into your listings.

    If you use a third-party selling solution, contact your provider for assistance in identifying and updating non-secure content, and making your listings HTTPS compliant. If you need additional help, consider using one of the popular solutions listed below, or one of the solutions here.

    For help in identifying and updating non-secure content, consider these solutions from third-party developers.

  6. Service Provider Listing limit Plans
    Auctiva

    <100,000

    - Free trial.
    - Monthly subscription: $3.95 - $19.95.

    ChannelAdvisor

    up to millions

    - Contact for more details.

    CrazyLister

    <100,000

    - Free trial.
    - Monthly subscriptions from $7 and up. Contact for more details.

    DemandStream, by CommerceHub

    <100,000

    - Contact for more details.
    - Live support available for a subscription plan, or for an hourly rate.

    Frooition

    up to millions

    - Free trial.
    - One-time fee.
    - Monthly subscription. Contact for more details.

    GarageSale by iwascoding

    <100,000

    - Free trial.
    - One-time fee.

    Sellbrite

    <100,000

    - Free trial.
    - Monthly subscription starting at $220.

    Seller Sourcebook

    up to millions

    - Monthly subscription: Mobile and web based available.

    ShipScript

    <100,000

    - Free or donation, no commitment.

    SixBit

    <100,000

    - Free trial.
    - Monthly subscription; Small business - $34.99/month. Enterprise $69.99/month.

    Vendio

    <1,000,000

    - Free trial.
    - Monthly subscription starting at $29.95.

Timeline

As of September 15, 2018, eBay will block all new listings that contain non-secure HTTP content.

  • New listings with non-compliant HTTP content will be blocked.
  • HTTPS-compliant listings will be unchanged.

Technical details

Mixed content occurs when non-secure, HTTP content is loaded on an HTTPS page. Mixed content will trigger Google Chrome's "Not secure" messaging.

Anchor tags (<a href=url>) are not treated as mixed content. Standard HTTP URLs in anchor tags are still supported. Note that anchor tags must still comply with the eBay Links Policy.

To comply with the industry's mixed-content policy, the following tags must use HTTPS URLs when viewed on a secure HTTPS page:

HTTPS required tags

Expand all Collapse all
  • Images

    <img src="https://xyz.com/" alt="Sample Text" height="42" width="42">
  • Style sheets
    • References to CSS resources: <link rel="stylesheet" type="text/css" href="https://xyz.com/...">
    • References within CSS:
      body { background-image: url("https://xyz.com/abc.gif"); }
      .banner { background: url("https://xyz.com/banner.png");
      ul { list-style: square url(https://xyz.com/block.png);}
  • Videos
    <video width="10" height="10" controls>
    <source src="https://xyz.com/" type="video/mp4">
    </video>
  • Audio
    <audio controls>
    <source src="https://xyz.com/" type="audio/mpeg">
    </audio>
  • APIs & Feeds
    • Trading API, for single SKU and multiple variations & feeds:
      <PictureURL> https://xyz.com/ </PictureURL>
      • Inventory API: "imageUrls": [ "https://xyz.com/" ]
      • MIP: In the Product and Combined feed
  • Active Content

    eBay no longer supports active content in listing descriptions.

    However, if any of the following tags are still present in listings and don't use secure HTTPS URLs, they may cause issues for Chrome users.

    <script> (src attribute)
    <iframe> (src attribute)
    <form> (action attribute)
    <embed> (src attribute)
    XMLHTTPRequests loading insecure resources:
    request.open("GET", "http://xyz.com/", true); request.send();
  • More HTML elements

    HTML 4 Tags

    <applet codebase=url>
    <area href=url>
    <base href=url>
    <blockquote cite=url>
    <body background=url>
    <del cite=url>
    <form action=url>
    <frame longdesc=url> ,<frame src=url>
    <head profile=url>
    <iframe longdesc=url> , <iframe src=url>
    <img longdesc=url> , <img src=url> , <img usemap=url>
    <input src=url> and <input usemap=url>
    <ins cite=url>
    <link href=url>
    <object classid=url>, <object codebase=url> , <object data=url> , <object usemap=url>
    <q cite=url>

    HTML 5 Tags

    <audio src=url>
    <button formaction=url>
    <command icon=url>
    <embed src=url>
    <html manifest=url>
    <input formaction=url>
    <source src=url>
    <video poster=url> , <video src=url>

    Complex URLs

    <img srcset="url1 resolution1 url2 resolution2">
    <source srcset="url1 resolution1 url2 resolution2">
    <object archive=url> , <object archive="url1 url2 url3">
    <applet archive=url> , <applet archive=url1,url2,url3>
    <meta http-equiv="refresh" content="seconds; url">
    <svg><image href="url"/></svg>




Was this page helpful?

0 / 100

Please leave the following fields untouched.