Nowadays, most websites worth their salt that value their visitor’s privacy and security will be encrypted with an SSL certificate. This extra layer of protection changes their URL from “HTTP” to “HTTPS”, and provides assurances for anyone who navigates it that the proper precautions have been taken and modern security standards have been implemented.
So, if you’re ever filling out an online form or accessing your banking website, for example, you’d click the lock icon at the top left of the browser’s address bar to see this information and feel at ease. When it comes to downloads, Chrome already blocks files from websites that are marked as “not secure”, or HTTP, but if a website is, in fact, marked as HTTPS – or “secure” – it can still link you out to a non-secure download link to trick you.
Whether or not this is intentional, this “mixed content” approach is dangerous to users, and Google is doing something about it. In a new Chromium commit first discovered by 9to5Google, the development team is looking to completely cut off the ability for users to download files (or conversely, have files pushed on them automatically upon visiting a website) from locations that are not secure.
Block insecure downloads
Enables insecure download blocking. This shows a ‘blocked’ message if the user attempts to download a file over an insecure transport (e.g. HTTP) either directly or via an insecure redirect
#block-insecure-downloads
This means that even if a mixed content site that is secure and offers non-secure downloads re-routes you to another link, Chrome will detect this and stop the nonsense. Luckily, for instances where you’ve already determined that you trust a source and the web devs simply set things up poorly, you will be able to bypass this blocking mechanism once it goes into effect in Chrome version 111 in a few months.
For now, this will simply be a developer flag that you can toggle. Otherwise, you won’t hear anything about it as a regular user until it’s implemented. There’s no word on whether this will remain toggleable forever, or if it will be enforced and on by default in the future, but we’ll let you know if that occurs.
Leave a Reply
You must be logged in to post a comment.