Google believes some websites are misleading users into thinking their downloads are secure. It hopes to address the problem with the upcoming version of its Chrome web browser.
The problem is simple. Users are downloading materials from websites protected by HTTPS, without realising the download itself originates on an HTTP site, which is less secure.
Google calls these “risky downloads” and has promised to block them completely as of the Chrome 83 update. This version is expected to go live in June this year.
However, from Chrome 81 (going live in March) the browser will issue warnings about mixed content downloads and .exe files.
Google also said it understands there are situations in which it makes sense to download from HTTP sites, such as when using an intranet. For situations like this, a policy called InsecureContentAllowedForUrls will allow HTTP downloads.
Google is not the only player in the browser market looking to fix this issue. Mozilla also spoke about it last year, but never implemented the feature.
Those interested in testing the new policy do so via Chrome's test version, Canary.