On February 6, 2020, Google announced that Chrome would gradually certify that secure (HTTPS) pages only download safe files. The platform started blocking “mixed content downloads” (non-HTTPS downloads started on secure pages) using a series of steps that it outlined.
The cybersecurity move follows a plan highlighted in October 2019 to begin blocking all the insecure sub-resources on secure pages. Insecurely-downloaded files present major risks to users’ privacy and security.
For example, insecurely-downloaded programs can be substituted with malware by attackers. Moreover, the eavesdroppers can read the unsuspecting users’ insecurely-downloaded bank statements.
To solve these challenges, Google plans to eliminate support for insecure downloads in Chrome. The first step is to remove the insecure downloads started on secure pages since these cases affect unsuspecting Chrome users whose privacy and security are at risk.
Chrome will start warning on and later blocking the mixed content downloads beginning with Chrome 82 that will be released in April 2020. All the files that pose the most risks will be targeted first, and the subsequent releases will cover more file types
The continuous rollout is set up to neutralize the worst risks rapidly, enabling developers to update sites and reduce the number of warnings that Chrome users have to see.
Google plans to roll out restrictions on mixed content downloads on desktop platforms first, which include Chrome OS, Windows, Linux, and macOS.
Chrome announced that it would delay the rollout for iOS and Android users by one release. They will start the warnings in Chrome 83. Mobile platforms have enhanced native protections against malicious files.
Hence, the delay will enable developers to prepare adequately while updating their sites before focusing on mobile users.
Developers aim to ensure that the users do not see any download warnings. They will achieve that by ensuring downloads only use HTTPS.
In the Chrome Canary or Chrome 81, once released, developers can activate a warning on all the mixed content downloads for testing by activating the “Treat risky downloads over insecure connections as active mixed content” flag.
Education and enterprise customers can disable the block on a per-site basis via the existing InsecureContentAllowedForUrls policy. They will do so by adding a pattern that matches the page requesting the download.
It is expected that a further restriction of insecure downloads in Chrome will be implemented in the future. Developers should migrate to HTTPS entirely to avoid any future restrictions and guarantee that they protect their users entirely.