Google Online Security Blog: Protecting users from insecure downloads in Google Chrome

Security Blog

The latest news and insights from Google on security and safety on the Internet

Protecting users from insecure downloads in Google Chrome

February 6, 2020

Posted by Joe DeBlasio, Chrome security team Update (04/06/2020): Chrome was originally scheduled to start user-visible warnings on mixed downloads in Chrome 82. These warnings, as well as subsequent blocking, will be delayed by at least two releases. Console warnings on mixed downloads will begin as scheduled in Chrome 81. At this time, we expect to start user-visible warnings in Chrome 84. The Chrome Platform Status entry will be kept up-to-date as timing is finalized. Developers who are otherwise able to do so are encouraged to transition to secure downloads as soon as possible to avoid future disruption. plan we announced last year

In Chrome 81 (released March 2020) and later:

Chrome will print a console message warning about all mixed content downloads.

In Chrome 82 (released April 2020):

Chrome will warn on mixed content downloads of executables (e.g. .exe).

In Chrome 83 (released June 2020):

Chrome will block mixed content executables
Chrome will warn on mixed content archives (.zip) and disk images (.iso).

In Chrome 84 (released August 2020):

Chrome will block mixed content executables, archives and disk images
Chrome will warn on all other mixed content downloads except image, audio, video and text formats.

In Chrome 85 (released September 2020):

Chrome will warn on mixed content downloads of images, audio, video, and text
Chrome will block all other mixed content downloads

In Chrome 86 (released October 2020) and beyond, Chrome will block all mixed content downloads.

Example of a potential warning Chrome will delay the rollout for Android and iOS users by one release, starting warnings in Chrome 83. Mobile platforms have better native protection against malicious files, and this delay will give developers a head-start towards updating their sites before impacting mobile users.
Developers can prevent users from ever seeing a download warning by ensuring that downloads only use HTTPS. In the current version of Chrome Canary, or in Chrome 81 once released, developers can activate a warning on all mixed content downloads for testing by enabling the "Treat risky downloads over insecure connections as active mixed content" flag at chrome://flags/#treat-unsafe-downloads-as-active-content.
Enterprise and education customers can disable blocking on a per-site basis via the existing InsecureContentAllowedForUrls policy by adding a pattern matching the page requesting the download.
In the future, we expect to further restrict insecure downloads in Chrome. We encourage developers to fully migrate to HTTPS to avoid future restrictions and fully protect their users. Developers with questions are welcome to email us at security-dev@chromium.org.