In a move to secure the HTTPS pages further from attacks, Chrome will gradually block all the mixed content (unsecure) downloads from secure HTTPS pages. Starting from April 2020, Chrome will start warning the users and will entirely block the unsecured download from October this year, with executable files being the first one to take the hit.
Chrome will later extend the blockade to more file types in subsequent rollouts.
Mixed contents are a risk to user privacy and security as the attackers can carry out a range of attacks by swapping the unsecured content with malicious software that could potentially give them access to user data as well as real-time audio-video feeds.
For Android and iOS users, the warning will be delayed by one release, which means that the users on these platforms will see the warning from Chrome 83 onwards.
These gradual rollouts, which started with Chrome 79 (December 2019) and which will continue to Chrome 86 (October 2020), are designed in such a way to mitigate the worst risks immediately along with providing ample time for the developers to update their websites.
Tips for the developers
Chrome has listed several tips for the developers, which are as follows:
- Developers can activate ”Treat risky downloads over insecure connections as active mixed content” flag at chrome://flags/#treat-unsafe-downloads-as-active-content.
- Enterprise and education customers can disable blocking on a site by site basis via Chrome’s InsecureContentAllowedForUrls policy.
Timeline for blocking the insecure downloads
Here is a timeline of changes for Chrome by Google.
- Chrome 80 (January 2020): A Not Secure warning will be displayed in the Omnibox. Also, Chrome will auto-upgrade mixed audio and video resources to https:// and will block those resources which fail to auto-upgrade.
- Chrome 81 (March 2020): A console message warning will be shown for all the mixed contents downloads.
- Chrome 82 (April 2020): Warning on downloading insecure executable (.exe) files will start appearing.
- Chrome 83 (June 2020): Chrome will block the executable files and will issue a warning for other file types such as .zip and .iso files.
- Chrome 84 (August 2020): Mixed content download of .zip and .iso files will be blocked. Warning for all other mixed contents except image, audio, video and text formats will be issued by Chrome.
- Chrome 85 (September 2020): Warning for image, audio, video and text formats will be issued by Chrome. Along with that, Chrome will block all other mixed content downloads.
- Chrome 86 (October 2020): All mixed contents will be blocked by Chrome.
This is undoubtedly a significant step towards securing user privacy by Chrome. Developers must note the month of the rollout and must update their website accordingly.
Also read: Top 5 Chrome extensions to record screen