Google wants to block some file downloads carried out via HTTP on websites that load via an HTTPS URL.
According to a proposal the browser maker has put forward yesterday, only the download of certain “high-risk” file types will be blocked by default.
This includes EXE (Windows application binary), DMG (Mac application binary), CRX (Chrome extension package), and all the major archive formats, like ZIP, GZIP, BZIP, TAR, RAR, and 7Z.
These file types are considered “high-risk” because they are most likely to be abused to hide malware.
The idea, according to Google, is to block any of these files when the download takes place via an HTTP connection, even if the site the user is downloading the data from is loaded via secure HTTPS.
Google said it’s currently not thinking of blocking downloads started from HTTP sites, since the browser is already warning users about the site’s poor security via the “Not Secure” indicator in the URL bar.
The plan is to block insecure downloads on sites that appear to be secure (loaded via HTTPS) but where the downloads take place via plain ol’ HTTP.
Emily Stark, the Google engineer who revealed Chrome’s plans on the World Wide Web Consortium (W3C) mailing list yesterday, did so in order to ask other browser makers to implement a similar mechanism.
“I wanted to see if other browsers would be interested in joining us on this adventure,” Stark said.
While a Mozilla engineer posted a favorable comment, a Mozilla spokesperson did not confirm any official plans to support such a feature in future Firefox releases.
According to Stark, Chrome engineers will focus on adding this feature to the browser’s desktop version primarily. On Android, Chrome already works together with the Safe Browsing feature to block suspicious APK (Android package) files in a similar manner, according to Stark.
More browser coverage:
Credit: Source link