Get your FREE copy of "The Ultimate Guide of SSL"

Download Ebook

From Chrome 83 Onwards, Google Will Block Some HTTP File Downloads

Restrictions on Mixed Content – Google Won’t Allow You to Download Some Files via HTTP

In today’s digital era, Google Chrome is one of the most widely used web browsers. And Google knows about it, and there’s no question that they take their user’s security seriously. As a user, you also know how thoughtful they’re and how they keep updating their Google Chrome browser regularly, and this time it’s no different.

download-warning

Many might not know, but earlier in April 2019, Google has shown a concern to prevent cybersecurity threats, for that Google engineers even shared their willingness to block some of the HTTP files which are downloaded through the HTTPS URL.

Now, Google has announced it officially for bringing its plan to fruition by moving ahead and will make changes to the upcoming versions of the Google Chrome browser accordingly. Though, it doesn’t mean that all HTTP downloads will be banned at least not at once.

Another thing addressed by the browser maker earlier was Google doesn’t intend to block any HTTP download coming from HTTP sites. Also, Google Chrome is already warning its users regarding the site’s security issue by showing the “Not Secure” warning in its URL bar.

Here’s What Google Will Start Blocking

As per the schedule released by Google on February 6, 2020 (Updated on April 6, 2020), starting with Google Chrome 83, expected to release this June 2020, the browser will begin blocking “risky downloads.” Luckily, some of the HTTP files will not be banned.

The main reason is to block these insecure downloads through sites that appear to be secured and loaded through HTTPS, but in reality, these downloads come from HTTP. And Google is trying to stop this because the presence of HTTPS (SSL/TLS Certificate) tricks users into believing that their download is also through HTTPS, but it’s not always the case.

Chrome’s New Change

Furthermore, you won’t see this change by Google at once, but it’ll be enforced through six different processes in which it’ll slowly kill HTTP downloads coming from HTTPS sites.
chrome-versions-changes
Let’s break it down:

In Released Chrome 81:

  • Chrome has started showing a console message warning regarding downloads of mixed content.

From Chrome 82 (Which Was About to Release in April 2020, but It’ll Be Skipped):

  • Chrome was about to block executable files that come under mixed content

From Chrome 83 (Expected to Be Released on June 2020):

  • Chrome will start blocking some executable files that come under mixed content
  • Chrome will warn users on archives (.zip) and disk images (.iso) files that come across as a mixed content

From Chrome 84 (Expected to Be Released on August 2020):

  • Chrome will completely block executable, archives, and disk image files.
  • Chrome will start warning regarding image, audio, video, and text formats that come across as mixed content downloads.

From Chrome 85 (Expected to Be Released in September 2020):

  • Chrome browser will warn users for downloads of all the images, audio, video, and text which come across as mixed content.
  • Other files which come under mixed content will be blocked and cannot be downloaded.

From Chrome 86 and Onwards (Expected to Be Seen in October 2020):

  • All mixed content will be blocked and fail to download.

Google Chrome: Why Sudden Mixed Content Restrictions

As per the Google, file types that come across as “high-risk,” are the ones that are abused for hiding malware. To reduce these types of issues, Google engineers decided to block these insecure downloads on sites that appear as secure due to secure HTTPS connection. Some of these risky file formats are like EXE (Windows application binary), CRX (Chrome extension package), DMG (Mac Application binary), and other major archive formats like GZIP, BZIP, ZIP, TAR, RAR, 7Z.

Furthermore, Google has also addressed that in some circumstances such as intranets, HTTP downloads do not carry higher risk. For these types of situations, Google has its Google Chrome policy (InsecureContentAllowedForUrls), which allows you HTTP downloads within the controlled environments.

Also, Webmasters, who’re looking to test whether their websites comply with this new policy, can do it via the latest Google Chrome Canary, the testing version of Chrome. For that, all you need to do is enable the Chrome flag: chrome://flags/#treat-unsafe-downloads-as-active-content

Summary

Last year, Mozilla also came forward with this similar interest in implementing mixed content blocking, but somehow they didn’t take the initiative. Although if you’re a Google Chrome user, then it’s one of the changes which you’ll find in coming versions along with many other to restrict insecure downloads through Chrome. So, it’s recommended that developers start migrating to HTTPS to avoid any future restrictions without playing around with the user’s security and privacy.

Related Articles:

Disclosure: AboutSSL appreciates your continuous support. It helps us tremendously to keep moving in the competitive SSL industry. Here most of the links which direct you to buy any SSL/TLS related service or products earns us a certain percentage of referral commission. Learn More