Google Chrome to block insecure downloads starting this spring

security.googleblog.com

Protecting users from insecure downloads in Google Chrome

Posted by Joe DeBlasio, Chrome security team Update (April 6, 2020): Chrome was originally scheduled to start user-visible warnings on mix...
security.googleblog.com security.googleblog.com
Screenshot of Chrome download manager with the text 'file.ext can't be downloaded securely. [Discard]'

  • In Chrome 81 (released March 2020) and later:
    • Chrome will print a console message warning about all mixed content downloads.
  • In Chrome 82 (released April 2020):
    • Chrome will warn on mixed content downloads of executables (e.g. .exe).
  • In Chrome 83 (released June 2020):
    • Chrome will block mixed content executables
    • Chrome will warn on mixed content archives (.zip) and disk images (.iso).
  • In Chrome 84 (released August 2020):
    • Chrome will block mixed content executables, archives and disk images
    • Chrome will warn on all other mixed content downloads except image, audio, video and text formats.
  • In Chrome 85 (released September 2020):
    • Chrome will warn on mixed content downloads of images, audio, video, and text
    • Chrome will block all other mixed content downloads
  • In Chrome 86 (released October 2020) and beyond, Chrome will block all mixed content downloads.

chart.png-796x266.jpg

 
Last edited:
Click to expand...
U

UnitPrice.org

Member
Local time
10:06
Joined
Oct 7, 2019
Messages
39

Sounds like a great idea to me. I think we’ve finally realized that we can’t leave it totally up to the end-user to be safe and secure. More layers of protection need to happen automatically.

I’m somewhat surprised this hasn’t been done sooner, but I suppose HTTPS has only risen to prominence in the last few years, with most sites finally enabling that.

 
Gummibeer

Gummibeer

Astroneer
Moderator
Local time
16:06
Joined
Oct 5, 2019
Messages
1,177
Pronouns
he/him

How about adding it to the CSP? And chrome only enforces a https rule?
This way we would have much more control and could disable downloads at all on a given page.
We could even harden it more by a dedicated DSP (download security policy) to define downloadable file types, source domains and possibly even public signing keys to verify the file origin.

 
v1rtl

v1rtl

teen webdev
Local time
18:06
Joined
Oct 10, 2019
Messages
25
Pronouns
bruh

sounds like a good thing. HTTPS is affordable thru Let's Encrypt so I see no reason to use HTTP outside of localhost

 
Top