The latest update to the Chrome browser took another step forward towards creating a more secure web experience for users by forcing audio and video to use HTTPS connections or else be blocked. In ongoing efforts to protect users from unsafe downloads, Google’s developers have now laid the groundwork that will eventually result in non-secure downloads being blocked entirely by Chrome.
On Thursday, Google’s online security blog published the roadmap that will begin the work with the release of Chrome 81 around the third week of March 2020. The first step will include will apply to executable files. Downloading an .exe file from a non-HTTPS source (this is referred to as mixed content when the page is secure but the download source is not) will result in a console warning behind the scenes in Chrome. As of April, when Chrome 82 is released, a warning notification will prompt users that they are downloading the executable from a non-secure source.
The efforts to block non-secure downloads will expand from there with executables being blocked by default in Chrome 83 and other unsecured file types being added to the warning list through subsequent releases. This will end with the release of Chrome 86 in October at which point any and all mixed content downloads will be blocked.
Here’s a breakdown of what content will be blocked and when you can expect the warnings to start showing up in Chrome.
- In Chrome 81 (released March 2020) and later:
- Chrome will print a console message warning about all mixed content downloads.
- In Chrome 82 (released April 2020):
- Chrome will warn on mixed content downloads of executables (e.g. .exe).
- In Chrome 83 (released June 2020):
- Chrome will block mixed content executables
- Chrome will warn on mixed content archives (.zip) and disk images (.iso).
- In Chrome 84 (released August 2020):
- Chrome will block mixed content executables, archives and disk images
- Chrome will warn on all other mixed content downloads except image, audio, video and text formats.
- In Chrome 85 (released September 2020):
- Chrome will warn on mixed content downloads of images, audio, video, and text
- Chrome will block all other mixed content downloads
- In Chrome 86 (released October 2020) and beyond, Chrome will block all mixed content downloads.
The rollout will begin for desktop Chrome with Android and iOS adding the warnings one release later. For enterprise and education clients, the blocking feature can be disabled on a per-site basis if needed by adding the policy
InsecureContentAllowedForUrls via the admin console. As Google continues to push for a more secure browsing experience, the company is encouraging developers to ensure all of their content is served over HTTPS as future updates will crack down even harder on mixed content. To learn more, head to Google’s Online Security Blog.