Browser Security Standards
Learn how eBay is meeting new security standards and how to update non-secure content in your listings.
How browser security is changing
Google Chrome-the browser used by almost half of all eBay buyers-is making changes to its security standards and how it communicates web privacy to users.
As of October 17, 2017, the message "Not secure" appears in the address tab of Google Chrome when users visit non-secure HTTP pages and HTTPS pages that include non-secure HTTP content. Other web browsers are expected to follow suit and make similar changes in the future. As of July 2018, Google is increasing the standard even more. Chrome users will see the message "Not secure" in their address bar, even on listing descriptions that are one click away. To ensure that your buyers feel secure, we'll require that all new listings contain only secure HTTPS content after September 15, 2018.
Non-compliant page before
Non-compliant page after
HTTP stands for Hypertext Transfer Protocol and is what governs data communication on the internet. HTTPS is the secure version of HTTP (the "S" stands for "Secure"), and it ensures data privacy and security by encrypting communications from all parties.
eBay is doing its part so buyers do not see the new "Not secure" message when they visit the site and to protect data. As of October 16, 2017, eBay began using the HTTPS communications protocol for all listings. eBay Store pages have been moved to HTTPS as well. We strongly encourage you to change any HTTP content in your listings to HTTPS now.
Below, see the most common kinds of content found in sellers' listings, store templates, and elsewhere that may be using non-secure HTTP URLs.
Common HTTP Content
- Externally hosted pictures
- Photos in
- Listing descriptions
<img src="http://xyz.com/..." alt="Sample Text" height="42" width="42"> - Product variants, in multi-variation listings
<img src="http://xyz.com/..." alt="Sample Text" height="42" width="42"> - The Trading API (and related APIs):
<PictureURL> http://xyz.com/ </PictureURL> - The Inventory API:
"imageUrls": [ "http://xyz.com/" ] - The Merchant Integration Platform (MIP)
- Product feed
- Combined feed
- Listing descriptions
- Photos in
- Cascading style sheets (CSS)
- References to CSS resources:
- <link rel="stylesheet" type="text/css" href="http://xyz.com/...">
- References within CSS:
- body { background-image: url("http://xyz.com/abc.gif"); }
- .banner { background: url("http://xyz.com/banner.png");
- ul { list-style: square url(http://xyz.com/block.png);}
- References to CSS resources:
- HTML5 video
<video width="10" height="10" controls>
<source src="http://xyz.com/" type="video/mp4">
</video> - HTML5 audio
<audio controls>
<source src="http://xyz.com/" type="audio/mpeg">
</audio>
See the "Technical details" section for less commonly-used tags with non-secure URLs.
How to secure your listings
Fortunately, the majority of eBay listings are already HTTPS compliant, and HTTPS-compliant listings will continue to be shown as they are today.
New listings with non-secure HTTP content will be blocked after September 15, 2018. Existing listings with HTTP content will not be blocked in 2018, but we will introduce stronger enforcement measures next year.
eBay is providing sellers with a tool to check your listings' security. Updating listings to comply with these new security standards will mean your buyers will be able to see your full item description just as they do today.
Making your listings HTTPS compliant
To update HTTP content and make sure buyers can see your full item description in the listing page, follow these steps.
- Use these eBay resources to identify your eBay listings that contain non-secure HTTP content.
- View listings that have non-secure HTTP content on the "Non-secure content issues" page or the Listings tab in Seller Hub
- A warning message will appear when listing an item that has non-secure HTTP content: "We found non-secure (HTTP) content in your listing. Browsers display a "Not secure" message on pages that contain HTTP resources. For a secure buyer experience, you must update your content. See details Learn more"
- If the identification resources flag non-secure content, determine if the third-party websites you use to host content, commonly called domains, are compliant with the browser security standards (HTTPS).
You may be able to find this information on the host domain's website or by contacting the domain.
- When you've confirmed that your host domains support HTTPS, find all uses of "HTTP" in your listings and replace them with "HTTPS".
eBay's bulk edit tool can help you make this change 200 listings at a time. In Seller Hub, go to the "Listings" tab, select noncompliant listings, click Edit, then Edit fields, and select Item description. In the Item description field, click the drop down to select Edit listings in bulk - find and replace.
- If a host domain is not compliant with the browser security standards, and you wish for the full item description to be displayed, remove content hosted on that domain from your listing. Once they are HTTPS compliant you can reinstate the content into your listings.
If you use a third-party selling solution, contact your provider for assistance in identifying and updating non-secure content, and making your listings HTTPS compliant. If you need additional help, consider using one of the popular solutions listed below, or one of the solutions here.
For help in identifying and updating non-secure content, consider these solutions from third-party developers.
| Service Provider | Listing limit | Plans |
|---|---|---|
| Auctiva |
<100,000 |
- Free trial. |
| ChannelAdvisor |
up to millions |
- Contact for more details. |
| CrazyLister |
<100,000 |
- Free trial. |
| DemandStream, by CommerceHub |
<100,000 |
- Contact for more details. |
| Frooition |
up to millions |
- Free trial. |
| GarageSale by iwascoding |
<100,000 |
- Free trial. |
| Sellbrite |
<100,000 |
- Free trial. |
| Seller Sourcebook |
up to millions |
- Monthly subscription: Mobile and web based available. |
| ShipScript |
<100,000 |
- Free or donation, no commitment. |
| SixBit |
<100,000 |
- Free trial. |
| Vendio |
<1,000,000 |
- Free trial. |
Timeline
As of September 15, 2018, eBay will block all new listings that contain non-secure HTTP content.
- New listings with non-compliant HTTP content will be blocked.
- HTTPS-compliant listings will be unchanged.
Technical details
Mixed content occurs when non-secure, HTTP content is loaded on an HTTPS page. Mixed content will trigger Google Chrome's "Not secure" messaging.
Anchor tags (<a href=url>) are not treated as mixed content. Standard HTTP URLs in anchor tags are still supported. Note that anchor tags must still comply with the eBay Links Policy.
To comply with the industry's mixed-content policy, the following tags must use HTTPS URLs when viewed on a secure HTTPS page:
HTTPS required tags
- Images
<img src="https://xyz.com/" alt="Sample Text" height="42" width="42"> - Style sheets
- References to CSS resources: <link rel="stylesheet" type="text/css" href="https://xyz.com/...">
- References within CSS:
body { background-image: url("https://xyz.com/abc.gif"); }
.banner { background: url("https://xyz.com/banner.png");
ul { list-style: square url(https://xyz.com/block.png);}
- Videos
<video width="10" height="10" controls>
<source src="https://xyz.com/" type="video/mp4">
</video> - Audio
<audio controls>
<source src="https://xyz.com/" type="audio/mpeg">
</audio> - APIs & Feeds
- Trading API, for single SKU and multiple variations & feeds:
<PictureURL> https://xyz.com/ </PictureURL> - Inventory API: "imageUrls": [ "https://xyz.com/" ]
- MIP: In the Product and Combined feed
- Trading API, for single SKU and multiple variations & feeds:
- Active Content
eBay no longer supports active content in listing descriptions.
However, if any of the following tags are still present in listings and don't use secure HTTPS URLs, they may cause issues for Chrome users.
<script> (src attribute)
<iframe> (src attribute)
<form> (action attribute)
<embed> (src attribute)
XMLHTTPRequests loading insecure resources:
request.open("GET", "http://xyz.com/", true); request.send();
- More HTML elements
HTML 4 Tags
<applet codebase=url>
<area href=url>
<base href=url>
<blockquote cite=url>
<body background=url>
<del cite=url>
<form action=url>
<frame longdesc=url> ,<frame src=url>
<head profile=url>
<iframe longdesc=url> , <iframe src=url>
<img longdesc=url> , <img src=url> , <img usemap=url>
<input src=url> and <input usemap=url>
<ins cite=url>
<link href=url>
<object classid=url>, <object codebase=url> , <object data=url> , <object usemap=url>
<q cite=url>
HTML 5 Tags
<audio src=url>
<button formaction=url>
<command icon=url>
<embed src=url>
<html manifest=url>
<input formaction=url>
<source src=url>
<video poster=url> , <video src=url>
Complex URLs
<img srcset="url1 resolution1 url2 resolution2">
<source srcset="url1 resolution1 url2 resolution2">
<object archive=url> , <object archive="url1 url2 url3">
<applet archive=url> , <applet archive=url1,url2,url3>
<meta http-equiv="refresh" content="seconds; url">
<svg><image href="url"/></svg>
FAQs
- What's changing?
Google Chrome will begin displaying the message "Not secure" for all all pages with HTTP content. Starting on September 15, 2018, eBay will no longer allow new listings with HTTP content. This will apply to "new," "relist," and "sell similar" listings.
- Where do I need to make these updates?
Update all active listings, scheduled listings, saved listing templates, description templates, and inventory you have not yet listed.
- Will any HTTP link in my listing or store trigger the change to how buyers can view item descriptions?
Only HTTP URLs in tags pulling content onto your listing or store will trigger these changes. Such content would include images, videos, audio, CSS URLs, and other content as described in How browser security is changing.
Links to external sites are governed by the eBay links policy, but will not trigger any change.
- Will the mobile experience be changing?
No, there will be no change to the mobile experience.
- I use a third-party provider to design and manage my listings, and they assure me that their tools and features are compliant. Do my listings still need attention?
If you created Good 'Til Cancelled (GTC) listings or created your storefront before your provider updated their security protocol, your listings could still contain non-compliant content. Third-party providers list GTC listings the first time, and eBay automatically relists them, unchanged.
Contact your provider to learn how they can help you update older GTC listings, draft listings, and listing templates.
- Is this the same as the requirement to remove active content?
No. Since June 2017, eBay does not allow active content such as JavaScript, Flash, plug-ins, and other similar programming methods in listings.
Externally hosted content such as photos and cascading style sheets (CSS) are deemed "passive" content and are still allowed in listings. They will not trigger the Google "Not secure" message or hidden description as long as they are delivered using the secure HTTPS transfer protocol.
- What will happen if I change my content to HTTPS, but my domain is not HTTPS compliant?
Your content will likely show up as a broken image or video. Contact your domain to make sure they are HTTPS compliant or remove HTTP content altogether.
- Will eBay block my listings if they contain HTTP content?
No, we do not plan to block listings with noncompliant content.
- What is the difference between active content, the HTTP requirement and off-eBay links?
Active content was used by many sellers to provide interactivity, animation or video via JavaScript, Flash, plug-ins and form actions in listings. As of June 2017, eBay no longer renders active content and recommends alternatives to active content.
HTTP is a communications protocol used to access pages via the internet. HTTPS (the S is for secure) ensures all your communication over the network is encrypted and secure. Browsers like Google Chrome are mandating stronger HTTPS standards and eBay is supportive. eBay pages are HTTPS, and we are requiring our sellers to also only link to HTTPS pages beginning in October 2017. Sellers who do not switch to the HTTPS protocol will have their item description suppressed - one click away - so that buyers do not see "not secure" text in the URL of the page.
To ensure that your item descriptions and images display properly, ask your hosting provider or third-party partner to support HTTPS and update listing templates or descriptions accordingly. For optimized display on both desktop and mobile, we recommend that you upload your images to eBay.
Off-eBay links, email addresses and phone numbers are not permitted on the item description page, aria-labels or other eBay pages. Even if you remove active content and update to the HTTPS protocol, they still are not permitted. eBay may take a range of actions for sellers who violate our offers to buy or sell off eBay policy.
- It looks like my listing description is fully compliant but it's still showing that it's not. What else could it be?
Make sure you also review the gallery images that you submit to eBay as those images must also be HTTPS compliant.
- What is the best way to bulk-edit my listings?
Use the find-and-replace feature highlighted above. If this solution does not meet your needs, please review our list of third-party providers who offer low-cost options for bulk edits.
- Are links to eBay Stores allowed in our listings? For example, I use links to the newsletter sign-up page and other eBay pages as a promotional tool. If the links are allowed, do I have to manually change the URLs from HTTP to HTTPS?
Links in listings to eBay Stores are allowed as long as they are in anchor tag format. The links do not have to use HTTPS as long as they are in the regular anchor tag format.
Anchor tag format example: <a href=https://www.ebay.com/str/StoreName>
eBay provides a tool that you can use to test for HTTPS compliance. You can provide your seller user ID or listing ID as an HTTPS test sample. Following is an example of the eBay tool:
- I self-host photos in my descriptions. Will my photos be compliant if the host site is secure (i.e., HTTPS-compliant)? Will I need to change the prefix of each image URL from HTTP to HTTPS?
Yes, your self-hosted images will be compliant if the host site is secure (i.e., has SSL and is HTTPS-compliant). You will need to change the prefix on each of the self-hosted image URLs from HTTP to HTTPS.
- Are links in listings generated by 3-P providers like Six-Bit, Auctiva, and et-al allowed if they are HTTPS-compliant? Will I need to make sure those links use the HTTPS prefix?
Resources like images, videos, audio files, and CSS from 3-P providers are allowed. However, you are responsible for ensuring that the links use the HTTPS prefix. Please refer to the list of tags that require HTTPS here. Please note that links to 3-P providers that use the form <a href="...."> are not allowed. Only certain whitelisted categories in this form are allowed (e.g., freight providers, video providers, eBay-owned domains, and legally required domains). Refer to the eBay links policy for more information.
- Do I only need to ensure that my description area is free of non-secure content?
No. You also need to ensure that your image uploads, such as eBay gallery images and multi-SKU item images, are HTTPS compliant.
