Downloads as Mixed Content

Chrome intends to block insecurely-delivered downloads initiated from secure contexts for downloads of high-risk file types. These high-risk file types are to be initially limited to desktop executables for the best tradeoff of user protection and compatibility.

Downloads over insecure contexts present a risk to users, and arguably the greatest risk comes from executables downloaded from secure contexts. Once downloaded, a malicious executable can circumvent any protections Chrome puts in place. Further, Chrome does not and can not warn users by downgrading security indicators on secure pages that initiate insecure downloads, as it does not reliably know whether an action will initiate an insecure download until the request is made.

Documentation

Status in Chromium

UI>Browser>Downloads


Behind a flag (tracking bug) in:

  • Chrome for desktop release 76

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • Public support
  • No public signals
  • No public signals
  • Mixed signals

Owners

Last updated on 2019-06-24