In April 2019, ZDNet reported about a proposal Google had made to other browser makers in an attempt to get everyone on board.
The plan, at the time, was that browsers block file downloads that take place via HTTP, when the user initiated the file download from a site loaded via HTTPS.
Today, Google announced it was formally moving ahead with last year’s proposal, and would be making changes to the Chrome browser going forward.
What exactly is Google blocking?
According to a release schedule Google published today, starting with Chrome 83, which will be released in June, Chrome will begin blocking “risky downloads.”
Google will not be banning all HTTP downloads, but only some.
The browser maker said last year it did not intend to block HTTP downloads started from HTTP sites, since Chrome is already warning users about the site’s poor security via the “Not Secure” indicator in the URL bar.
The plan is to block insecure downloads on sites that appear to be secure (loaded via HTTPS) but where the downloads aren’t (loaded via HTTP).
Google said that the presence of the HTTPS in the site’s URL was tricking users into thinking the download was also via HTTPS, but in some cases it was not.
It’s this cases that Google is trying to stop.
The new change in Chrome’s behavior won’t be enforced all of a sudden. Google has published today a six-step process during which it will slowly ban HTTP downloads on HTTPS sites:
Chrome 81 (March 2020) – Chrome will print a console message warning about all mixed content downloads.
Chrome 82 (April 2020) – Chrome will warn on mixed content downloads of executables (e.g. .exe).
Chrome 83 (June 2020) – Chrome will block mixed content executables. Chrome will warn on mixed content archives (.zip) and disk images (.iso).
Chrome 84 (August 2020) – Chrome will block mixed content executables, archives and disk images. Chrome will warn on all other mixed content downloads except image, audio, video and text formats.
Chrome 85 (September 2020) – Chrome will warn on mixed content downloads of images, audio, video, and text. Chrome will block all other mixed content downloads.
Chrome 86 (October 2020) – Chrome will block all mixed content downloads.
But Google said it also understands that in some controlled conditions, like intranets, HTTP downloads may have a lower risk. For this situations, Google said there’s a Google Chrome policy (InsecureContentAllowedForUrls) that can allow HTTP downloads in controlled environments.
Webmasters who want to test if their sites comply with this new policy can do it right now in Google Chrome Canary, Chrome’s testing version. To do so, they’ll need enable the following Chrome flag:
Last year, Mozilla also expressed interest in implementing a similar block, however, the Firefox maker has not published any further plans on the matter.