Blocking insecure downloads from secure (HTTPS) contexts

Chrome intends to block insecurely-delivered downloads initiated from secure contexts ("mixed content downloads"). Chrome will begin warning on, then blocking, progressively more mixed content downloads until all such downloads are silently blocked.

Downloads over insecure contexts present a risk to users. Once downloaded, a malicious file can circumvent any protections Chrome puts in place. Further, Chrome does not and can not warn users by downgrading security indicators on secure pages that initiate insecure downloads, as it does not reliably know whether an action will initiate an insecure download until the request is made.

Comments

The timeline announced in the blogpost has been postponed. Our current plan is to delay each user-visible stage in the rollout by two releases. For instance, the first user-visible warnings will start in Chrome 84 instead of Chrome 82, and the transition will be complete by Chrome 88. Console warnings will start in Chrome 81 as originally announced. We may revise this timeline. This Platform Status entry will be kept updated with the latest information. Chrome intends to eventually remove support for all insecure downloads as they present a threat to the privacy and security of users. Developers are encouraged to move entirely to HTTPS to avoid future changes.

Documentation

Status in Chromium

UI>Browser>Downloads


In development (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • Public support
  • No public signals
  • No public signals
  • Mixed signals

Owners

Last updated on 2020-04-03