Google plans to block all insecure downloads in coming versions of the company’s Google Chrome browser. Insecure downloads, according to Google, are downloads that originate from HTTPS websites that are not served via HTTPS. The decision won’t affect sites that are still accessed via HTTP.
The change is the next step in Google’s plan to block “all insecure subresources on secure pages” which it announced last year. Back then, Google declared that mixed content, another term for insecure content on secure websites, “threatens the privacy and security of users” as attackers could modify the insecure content, e.g. by tampering with a mixed image of a stock chart to mislead investors” or injecting “a tracking cookie into a mixed resource load”.
Insecurely-downloaded files are a risk to users’ security and privacy. For instance, insecurely-downloaded programs can be swapped out for malware by attackers, and eavesdroppers can read users’ insecurely-downloaded bank statements. To address these risks, we plan to eventually remove support for insecure downloads in Chrome.
Google will introduce the change gradually starting in Chrome 81 on the desktop. First, the browser will only display warnings in the Developer console to get the attention of developers working on sites with insecure downloads.
In Chrome 82, a warning will be displayed if executable files are downloaded via HTTP but the blocking is not enforced at this point. Executable files such as .exe or .apk fall into that category.
Starting in Chrome 83, the browser will block insecure executable downloads outright and display a warning if archives are downloaded via HTTP.
Then in Chrome 84, insecure executable downloads and archive downloads are blocked, and a warning is displayed for “all other non-safe types” such as pdf or docs.
In Chrome 85, these non-safe types are blocked as well, and warnings are displayed for media and text files.
Finally, in Chrome 86, all insecure downloads are blocked in the browser.
Google will delay the roll-out on Android and iOS versions of Chrome for one release which means that warnings for insecure executable file downloads are displayed in Chrome 83 on that systems and not in Chrome 82.
Administrators may use the flag chrome://flags/#treat-unsafe-downloads-as-active-content to disallow downloads of unsafe files right away when Chrome 81 gets released (as well as in development versions of the web browser).
All it takes is to enable the flag and restart the browser to do so.
Enterprise and education customers may override the blocking on a per-site basis by using the InsecureContentAllowedForUrls policy.