Chrome now pulls up its socks and is working harder than ever to ensure that only secure pages serve HTTPS audio and video. And, yes it works! As Google wants to protect users from accessing insecure files by automatically blocking mixed content downloads.
Non-HTTPS downloads started on secure pages are a “risk to users” security and privacy,” with Google citing how “insecurely-downloaded programs can be swapped out for malware by attackers, and eavesdroppers can read users’ insecurely-downloaded bank statements.”
At present, the browser gives out no indication of insecure downloads started on HTTPS pages. Chrome 82 in April will provide such a warning, starting with executables like APKs and EXEs. Showing up in the downloads bar, Google will note when a file “can’t be downloaded securely.”
PS: Google steps up to roll out restrictions concerning mixed downloads on desktop platforms (Windows, macOS, Chrome OS and Linux) first. The plan for desktop platforms is as follows:
In Chrome 81 (released March 2020) and later:
Chrome will print a console message warning about all mixed content downloads.
In Chrome 82 (released April 2020):
Chrome will warn on mixed content downloads of executables (e.g. .exe).
In Chrome 83 (released June 2020):
Chrome will block mixed content executables.
Chrome will warn on mixed content archives (.zip) and disk images (.iso).
In Chrome 84 (released August 2020):
Chrome will block mixed content executables, archives and disk images.
Chrome will warn on all other mixed content downloads except image, audio, video and text formats.
In Chrome 85 (released September 2020):
Chrome will warn on mixed content downloads of images, audio, video, and text.
Chrome will block all other mixed content downloads.
In Chrome 86 (released October 2020) and beyond, Chrome will block all mixed content downloads.
(Example of a potential warning)
Google will hold up the roll out for for Android and iOS users by one release, starting warnings in Chrome 83. Mobile platforms have better native protection against malicious files, and this delay will give developers a head-start towards updating their sites before impacting mobile users.
Developers can ward off users from ever seeing a download warning by ensuring that downloads only use HTTPS. In the current version of Chrome Canary, or in Chrome 81 once released, developers can activate a warning on all mixed content downloads for testing by enabling the “Treat risky downloads over insecure connections as active mixed content” flag at chrome://flags/#treat-unsafe-downloads-as-active-content.
Enterprise and education customers can rule out blocking on a per-site basis via the existing InsecureContentAllowedForUrls policy by adding a pattern matching the page requesting the download.
Conclusion: In the future- Google will continue to guard off its users against insecure downloads in Chrome. Please Note: We encourage developers to fully migrate to HTTPS to avoid future restrictions and fully protect their users.