Blocking insecure downloads from secure (HTTPS) contexts

Chrome intends to block insecurely-delivered downloads initiated from secure contexts ("mixed content downloads"). Chrome will begin warning on, then blocking, progressively more mixed content downloads until all such downloads are silently blocked.

Motivation

Downloads over insecure contexts present a risk to users. Once downloaded, a malicious file can circumvent any protections Chrome puts in place. Further, Chrome does not and can not warn users by downgrading security indicators on secure pages that initiate insecure downloads, as it does not reliably know whether an action will initiate an insecure download until the request is made.

Documentation

Status in Chromium

UI>Browser>Downloads


Browser Intervention (tracking bug) in:

  • Chrome for desktop release 84
  • Chrome for Android release 85

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • Positive
  • No signal
  • No signal
  • Mixed signals

Owners

Comments

This feature release was delayed slightly due to Chrome release schedule changes. The following reflects our current plans. Console warnings started in Chrome 81 as originally announced. User-visible warnings will start in Chrome 84 (instead of Chrome 82), with warnings ramping up through Chrome 87. Final desktop blocking will be complete by Chrome 88. Android will lag one release behind, with the first user-visual warnings seen in Chrome 85. We may revise this timeline. This Platform Status entry will be kept updated with the latest information. Please see https://blog.chromium.org/2020/02/protecting-users-from-insecure.html for more deprecation details. Chrome intends to eventually remove support for all insecure downloads as they present a threat to the privacy and security of users. Developers are encouraged to move entirely to HTTPS to avoid future changes.

Search tags

downloads, mixed content, blocking, tls, ssl, mix-dl,

Last updated on 2020-10-02