As you may already know, Google and its web browser had started a war against the plain HTTP. The recently released Chrome 80 forces HTTP resources to be loaded via HTTPS, otherwise it leaves them blocked until the explicit user interaction. The company reveals the next step they would take, this time against HTTP downloads.
Chrome will gradually ensure that secure (HTTPS) pages only download secure files The browser will start blocking "mixed content downloads" (non-HTTPS downloads started on secure pages).
The official blog post reveals what's behind the change.
Insecurely-downloaded files are a risk to users' security and privacy. For instance, insecurely-downloaded programs can be swapped out for malware by attackers, and eavesdroppers can read users' insecurely-downloaded bank statements. To address these risks, we plan to eventually remove support for insecure downloads in Chrome.
Google plans to apply restrictions on mixed content downloads on desktop platforms (Windows, macOS, Chrome OS and Linux) first. The plan for desktop platforms looks as follows:
Chrome 81 (released March 2020) will print a console message warning about all mixed content downloads;
Chrome 82 will display a warning; Starting in
Chrome 83 all downloadable content types will be gradually blocked.
After October 2020, Chrome will block all mixed content downloads.
Interested users can activate a warning on all mixed content downloads for testing by enabling the "Treat risky downloads over insecure connections as active mixed content" flag at
Google will delay the roll-out on Android and iOS versions of Chrome for one release. This means that warnings for insecure downloads will be first displayed in Chrome 83, and not in Chrome 82.
Enterprise and education customers can disable blocking on a per-site basis via the existing
InsecureContentAllowedForUrls policy by adding a pattern matching the page requesting the download.