PSA: Warning on Insecurely-Delivered Downloads

[Joe DeBlasio]

Hi blink-dev!

Starting shortly after HTTPS Upgrades ships, Chrome will start showing warnings when a user downloads files over an insecure (i.e. non-TLS) connection. This builds on top of the previously shipped blocking of insecurely delivered files initiated on secure pages ("mixed downloads"). 

This user-agent intervention should cause no site breakage, but it may mean users see additional (bypassable) warnings if your site relies on insecure downloads.

Developers who wish to avoid their users seeing these warnings should ensure that all downloads are served securely -- warnings are triggered when insecure HTTP is used by the final download URL, any URLs that redirect to the download, or on the page on which the download was initiated.  

While there isn't a public explainer for this change, a blog post with additional details is forthcoming. I'm also happy to answer any additional questions here.

Joe

[Mike Taylor]

That sounds great, please respond with a link to the blog post once it's published.

Joe

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFZs0S5nA%2BBv3z%3DkQuJWZEtsxz%2B_6Q4ghHdi0dWeWnfV7vrtJQ%40mail.gmail.com.

[Joe DeBlasio]

Absolutely will do. Thanks Mike!