Millions of users around the world just updated to the latest version of the Chrome browser and/or operating system and for many, a somewhat disturbing notification may be popping up when an executable file download is initiated. The warning goes a little something like this: “File may be dangerous so Chrome blocked it.” Before you go deleting Chrome or tossing your laptop out the window, let’s take a quick look at what’s actually happening here and don’t worry. This is exactly the intended behavior.
Starting with Chrome 83, Google’s browser began blocking downloads of what is referred to as “mixed content.” What is mixed content? Mixed content downloads are files that are non-secure downloads from a secure source. But what does that even mean? Well, if you look at the left-hand side of your URL bar, you will likely see a small lock icon. If you’re on this site, you’ll for sure see that icon. This means that the site you are visiting is being served over a secured layer. You may recognize this as HTTPS. Sites that do not use HTTPS will cause Chrome to report a non-secure warning. If you are on a secure site and attempt to download a file that is being served from a separate, non-secure source, this is mixed content.
In Chrome 83, downloads of executable files such as .exe and apk files were blocked by default. With Chrome and Chrome OS 84, that default has been extended to .iso disk images and archive files which are commonly .zip file formats. If you have tried to download one of these types of files and were met with Chrome’s warning about the file being dangerous, chances are good that the download isn’t happening over HTTPS. That doesn’t necessarily mean that the file you’re downloading is malicious. Instead, this is Chrome’s effort to prevent users from opening non-secure connections to their devices. When your connection isn’t secure, that’s when the bad guys come out to play. If a popular executable file that tons of people use is being delivered over a non-secure connection, that’s a big target for hackers that would love to take advantage of that vulnerability.
So, what if you absolutely need to download that file? Well, there is a workaround but before we cover that, a few disclaimers. I am not recommending that you disabled mixed content blocking on your computer. If you choose to download files over non-secure content, you and you alone are responsible for the outcome. If you are downloading legitimate software and the company delivering it doesn’t host it over HTTPS, you need to contact them and tell them they need to fix that post-haste. Only enable the following flag if you understand that you’re on your own.
Now, we have that out of the way. If you absolutely insist on disabling the mixed content blocker, you can do so by turning off the flag that enables it. Eventually, this flag will likely go away and you won’t have this option but for now, you can turn off the blocker by heading to chrome://flags/#treat-unsafe-downloads-as-active-content in your URL bar and selecting “disable.” Once you restart your browser, you should be able to download your files. Again, I do not recommend this. If you do use it, I suggest turning the blocker back on after you have your files. If you’re on a PC, you might want to ensure your anti-virus of choice is enabled. If you’d like to learn more about mixed content and Google’s roadmap for securing the web, head over to the Google Developer’s Blog.