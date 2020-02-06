Image: Google

In April 2019, ZDNet reported on a proposal that Google had made to other browser makers in an effort to get everyone on board.

The plan at that time was for browsers to block file downloads that take place via HTTP when the user started the file download from a site loaded via HTTPS.

Today Google announced that it would formally advance with last year’s proposal and that it would change the Chrome browser in the future.

What exactly is Google blocking?

According to a release schedule that Google has published today, starting with Chrome 83, which will be released in June, Chrome will start blocking “risky downloads”.

Google does not prohibit all HTTP downloads, but only a few.

The browser manufacturer said it had no intention of blocking HTTP downloads launched from HTTP sites last year because Chrome is already warning users of poor site security through the “Unprotected” indicator in the URL bar.

The plan is to block unsafe downloads on sites that appear secure (loaded via HTTPS) but where the downloads are not (loaded via HTTP).

Google said that the presence of HTTPS in the site URL tempted users to think that the download was also via HTTPS, but in some cases not.

It is these cases that Google is trying to stop.

The new change in Chrome’s behavior will not be implemented overnight. Google has released a six-step process today that will slowly prohibit HTTP downloads on HTTPS sites:

Image: Google

Chrome 81 (March 2020) – Chrome prints a console message alert on all mixed content downloads.

Chrome 82 (April 2020) – Chrome warns with mixed content download of executable files (eg .Exe).

Chrome 83 (June 2020) – Chrome blocks executable content for mixed content. Chrome warns of mixed content archives (.zip) and disk images (.iso).

Chrome 84 (August 2020) – Chrome blocks executable content, archives, and disk images from mixed content. Chrome warns against all other downloads of mixed content except images, audio, video and text.

Chrome 85 (September 2020) – Chrome notifies you of mixed image, audio, video, and text downloads. Chrome blocks all other mixed content downloads.

Chrome 86 (October 2020) – Chrome blocks all downloads of mixed content.

But Google said it also understands that in some controlled circumstances, such as intranets, HTTP downloads may have a lower risk. For these situations, Google said there is a Google Chrome policy (InsecureContentAllowedForUrls) that allows HTTP downloads in controlled environments.

Webmasters who want to test whether their sites comply with this new policy can now do so in Google Chrome Canary, the test version of Chrome. To do this, they must enable the following Chrome flag:

chrome: // flags / # treat-unsafe-downloads-as-active-content

Last year, Mozilla also expressed an interest in implementing a similar block, but the Firefox maker has not published any further plans on this.