In April 2019, with a view to prevent abuse, Google engineers showed the desire to block certain HTTP file downloads that load via an HTTPS URL. The proposal has finally materialized and shall soon be rolled-out in six phases, starting with Google Chrome 83.
Google’s Original Plan
As per Google, certain file types are considered “high-risk”, since they are most likely to be abused for hiding malware(s). To mitigate this issue, Google engineers suggested to block insecure downloads on sites that appear to be secure (loaded via secure HTTPS), but where the downloads take place via insecure HTTP. These “high-risk” file formats included EXE (Windows application binary), DMG (Mac application binary), CRX (Chrome extension package), and all the major archive formats, like ZIP, GZIP, BZIP, TAR, RAR, and 7Z, which Google proposed to block.
Chrome’s Six-Phase Roll-Out
Chrome does not plan to give a jolt to its users by immediately blocking the file download via HTTP. Instead, it has planned to do it gradually in the following six phases:
- Phase 1 – Crome 81 (March 2020 release) and later:
Chrome will display a warning message about all mixed content downloads.
- Phase 2 –Chrome 82 (April 2020 release):
Chrome will display a warning on mixed content downloads of executables (e.g. .exe).
- Phase 3 – Chrome 83 (June 2020 release):
Chrome will block mixed content executables and display a warning on download of mixed content archives (.zip) and disk images (.iso).
- Phase 4 – Chrome 84 (August 2020 release):
Chrome will block mixed content executables, archives and disk images. In this version, Chrome will display a warning on all other mixed content downloads except image, audio, video and text formats.
- Phase 5 –Chrome 85 (released September 2020):
Chrome will continue displaying a warning on mixed content downloads of images, audio, video, and text and will block all other (mixed content) downloads.
- Phase 6 – Chrome 86 (October 2020 release) and beyond:
Chrome will block all mixed content downloads.
Google also studied the implications these changes might have on its enterprise and education customers, and thus gave an option to the webmasters for disabling the blocking on a per-site basis via the existing Google policy, InsecureContentAllowedForUrls. It can be done by adding a pattern matching the page requesting the download.
Developers/webmasters can also test the warning message functionality for mixed content download in the current version of Chrome Canary, or in Chrome 81 once released. To do so, they simply need to activate the mixed content flag at, chrome://flags/#treat-unsafe-downloads-as-active-content.