Google Chrome will “gradually” block non-HTTPS downloads started on secure pages (mixed content downloads) starting from June 2020, and will eventually block all mixed content downloads by October 2020, it announced in a blog post on February 6. Starting April 2020, Chrome will start warning users whenever they download non secure files such as executables (.exe) on secure pages, which is significant, because in Google’s own admission, it currently gives no indication to the user that their privacy and security are at risk. In October 2019, Google had said that it was planning to block mixed content downloads.
“Insecurely-downloaded files are a risk to users’ security and privacy. For instance, insecurely-downloaded programs can be swapped out for malware by attackers, and eavesdroppers can read users’ insecurely-downloaded bank statements. To address these risks, we plan to eventually remove support for insecure downloads in Chrome,” it said in the blog post.
What exactly are mixed content downloads? Mixed content occurs when initial HTML is loaded over a secure HTTPS connection, but other resources (such as images, videos, stylesheets, scripts) are loaded over an insecure HTTP connection. This is called mixed content because both HTTP and HTTPS content are being loaded to display the same page, and the initial request was secure over HTTPS, explained Google.
How Chrome plans to eventually block mixed content downloads:
As per the blog post, file types that pose the “most risk” to users will be dealt with first, with subsequent releases covering more file types. The measures will be rolled out in the following order:
- Chrome 81 (released March 2020) and later: Will print a console message warning about all mixed content downloads.
- Chrome 82 (released April 2020): Will warn on mixed content downloads of executables (e.g. .exe).
- Chrome 83 (released June 2020): Will block mixed content executables and will warn on mixed content archives (.zip) and disk images (.iso).
- Chrome 84 (released August 2020): Will block mixed content executables, archives and disk images and will warn on all other mixed content downloads except image, audio, video and text formats.
- Chrome 85 (released September 2020): Will warn on mixed content downloads of images, audio, video, and text and will block all other mixed content downloads.
- Chrome 86 (released October 2020) and beyond: Will block all mixed content downloads.
Google justified the phased rollout of the feature as being “designed to mitigate the worst risks quickly, provide developers an opportunity to update sites, and minimize how many warnings Chrome users have to see”. Also, Chrome will delay the rollout for Android and iOS users by one release, and Chrome users on Android and iOS will receive the 83 version first, since “mobile platforms have better native protection against malicious files, and this delay will give developers a head-start towards updating their sites before impacting mobile users,” according to Google.