Google is announcing that Chrome will gradually ensure that secure (HTTPS) pages only download secure files. In a series of steps outlined below, they iwill start blocking “mixed content downloads” (non-HTTPS downloads started on secure pages).
This move follows a plan they announced last year to start blocking all insecure subresources on secure pages. Insecurely-downloaded files are a risk to users’ security and privacy. For instance, insecurely-downloaded programs can be swapped out for malware by attackers, and eavesdroppers can read users’ insecurely-downloaded bank statements. To address these risks, they plan to eventually remove support for insecure downloads in Chrome.
As a first step, they are focusing on insecure downloads started on secure pages. These cases are especially concerning because Chrome currently gives no indication to the user that their privacy and security are at risk.
Starting in Chrome 82 (to be released April 2020), Chrome will gradually start warning on, and later blocking, these mixed content downloads. File types that pose the most risk to users (e.g., executables) will be impacted first, with subsequent releases covering more file types. This gradual rollout is designed to mitigate the worst risks quickly, provide developers an opportunity to update sites, and minimize how many warnings Chrome users have to see.
Google plan to roll out restrictions on mixed content downloads on desktop platforms (Windows, macOS, Chrome OS and Linux) first.