Google Chrome to block insecure downloads

Google announced on the Chrome Security Blog that it will soon start displaying warnings in Chrome when you try to download files via a non-HTTPS connection on secure pages. For regular users, this starts with the release of Chrome 82 in April 2020.

Initially, there will only be a warning, but in later versions of Chrome, these downloads will be blocked automatically. Starting with Chrome 83 in June 2020, users will no longer be able to do non-HTTPS protected executable downloads via secure websites. Chrome 84 will expand this to archive files and Chrome 86 will block all mixed content downloads, including audio, text, and image files.

Insecurely-downloaded files are a risk to users' security and privacy. For instance, insecurely-downloaded programs can be swapped out for malware by attackers, and eavesdroppers can read users' insecurely-downloaded bank statements. To address these risks, we plan to eventually remove support for insecure downloads in Chrome. As a first step, we are focusing on insecure downloads started on secure pages. These cases are especially concerning because Chrome currently gives no indication to the user that their privacy and security are at risk.

To keep everything working, webmasters will need to ensure that downloads exclusively use HTTPS. Google indicates they plan further restrictions in the future. Full details about the timeline can be found over here.