Many warnings are not noticed until they become official.

Please protect users from insecure downloads in Google Chrome

What are mixed Content Downloads?

First, mixed content. The browser will use HTTPS or HTTP to request page resources. When both HTTPS and HTTP exist on the same page, it is called mixed content.

Since HTTPS is much more secure than HTTP, HTTP has many possibilities of being attacked. So, for the sake of users’ security and privacy, Chrome began to ensure that all downloads from secure pages are secure. This means that Chrome will gradually warn and ban HTTP downloads from HTTPS pages, not letting go of any potentially “insecure” resources.

schedule

As you can see from the timeline, all changes are implemented in three strict steps: console alert — browser alert — block.

Several key time points for blocking are as follows:

  • Chrome 85 (2020.08) : Prevents unsafe executable files (e.g..exe,.apk, etc.) from being downloaded
  • Chrome 86 (2020.10) : Prevents insecure compressed packages (such as. Zip,. Iso, etc.) from downloading
  • Chrome 87 (2020.11) : Prevents non-secure (unclassified file content) downloads other than multimedia and text
  • Chrome 88 (2021.01) : Blocks all mixed content downloads

Among them, for the mobile version of Chrome (iOS, Android), the official deliberately delayed a version of the blocking behavior, because these operating systems themselves have certain defense capabilities, is really convincing.

An opportunity to

Why, at this point in time (2020.11), did I notice this announcement as early as 2020.02?

Due to the release of Chrome 86, some users found that the zip of the current site could not be downloaded as the coverage increased (this should be a typical use scenario for downloading behavior), finally! After half a year, Chrome’s warning attracted the attention of website maintainers.

As stated at the beginning of this article, “warnings are only noticed when they officially expire.” Even though Chrome has upgraded from console alerts to browser alerts, I firmly believe that as long as features are available, developers will not take action

Taking a closer look at Chrome’s blocking plans, it seems that Chrome has carefully considered the frequency of download requests, especially for multimedia, and has put blocking at the end of the day, even using a whitelist policy (barring other + allowing multimedia and text). I think, if it was really blocking multimedia downloads first, it might be blocked on the first day of the whole network complaints…

Quench thirst

So what if you run into a site that’s in disrepair and no one is maintaining it?

There is also a backdoor Flag that developers can use to keep page functions functional by changing Chrome ://flags/# treat-unsafe-toses-as-active-content.

A little fun

The console warning of Samesite has been flashing for “several years”, but still no one has visited it. Until the day the warning goes into effect! Still, no one cares…

Encounter these websites, if the daily work just need, also have to rely on Flag to modify big method ~