In an effort to enhance the download protection experience, Chrome will begin blocking downloads of non-secure hypertext transfer protocols, google’s security blog said in a statement. As a continuation of a program announced last year, Chrome will begin blocking access to all “non-secure sub-resources” on the Security Page. Given that unsafe file downloads threaten users’ security and privacy, this is a matter of real concern.
(From: Google Security Blog)
For example, an attacker could intercept an unsecured download address, replace the program with malware, and even access more sensitive information. To manage these risks, Google eventually decided to eliminate support for unsafe downloads.
Initially, Chrome would block unsafe downloads that start edify from secure pages. This is particularly worrying because Chrome is currently unable to show users that its privacy and security are at risk.
Starting with Chrome 82 in April 2020, Google Chrome will gradually issue warnings until it finally blocks downloads of such hybrids.
The file types (executable files) that pose the greatest risk to users will be affected first, and subsequent versions will override more file types.
The goal of the step-by-step rollout is to quickly mitigate the most serious risks, give developers buffer time to update their sites, and minimize the number of warnings that Chrome users must see.
Google plans to start with restrictions on downloads of mixed content on Windows, macOS, Chrome OS, and Linux desktop platforms, and here’s the Chrome team’s schedule:
Chrome 81 (March 2020): The browser pops up with a console message warning all mixed content to download;
Chrome 82 (April 2020): Browser will warn (.exe, etc.) for downloading mixed content;
Chrome 83 (June 2020): Warning download of a mix of .zip archive and .iso disk image;
Chrome 84 (August 2020): Warns about downloads of mixed content in addition to pictures, audio, video, and text;
Chrome 85 (September 2020): Warning image, audio, video, and text-like mixed content download;
Chrome 86 (October 2020): Block downloads of all types of mixed content.
As for Android and iOS mobile platforms, Google will defer a version of the policy, starting with Chrome 83.
Given that the mobile platform has better protection against malicious files, the time difference is set aside, giving developers the opportunity to update their mobile sites before users encounter problems.
In addition, in the current version of Chrome Canary or Chrome 81, developers can activate warnings by enabling Download mixed content that treats unsafe connections as dangerous.
Enterprises and education customers can block each existing site by adding a pattern matching the request to download page to InsecureContentForUrls to implement the policy.