Google wants to block some file downloads carried out via HTTP on websites that load via an HTTPS URL.
Security
According to a proposal the browser maker has put forward yesterday, only the download of certain "high-risk" file types will be blocked by default.
This includes EXE (Windows application binary), DMG (Mac application binary), CRX (Chrome extension package), and all the major archive formats, like ZIP, GZIP, BZIP, TAR, RAR, and 7Z.
These file types are considered "high-risk" because they are most likely to be abused to hide malware.
The idea, according to Google, is to block any of these files when the download takes place via an HTTP connection, even if the site the user is downloading the data from is loaded via secure HTTPS.
Google said it's currently not thinking of blocking downloads started from HTTP sites, since the browser is already warning users about the site's poor security via the "Not Secure" indicator in the URL bar.
The plan is to block insecure downloads on sites that appear to be secure (loaded via HTTPS) but where the downloads take place via plain ol' HTTP.
Emily Stark, the Google engineer who revealed Chrome's plans on the World Wide Web Consortium (W3C) mailing list yesterday, did so in order to ask other browser makers to implement a similar mechanism.
"I wanted to see if other browsers would be interested in joining us on this adventure," Stark said.
And Mozilla is.
"We are interested in exploring these ideas further in conversation with Google and other interested parties," a Mozilla spokesperson told ZDNet today. "The general idea aligns with the steps we have previously taken to protect users from insecurely delivered content."
Should Chrome treat high-risk non-secure downloads as mixed content?https://t.co/LDxeK9Wfm7
— Emily Stark (@estark37) April 9, 2019
According to Stark, Chrome engineers will focus on adding this feature to the browser's desktop version primarily. On Android, Chrome already works together with the Safe Browsing feature to block suspicious APK (Android package) files in a similar manner, according to Stark.
Article updated with comments from Mozilla.
All the Chromium-based browsers
More browser coverage:
- Microsoft releases first test builds of Chromium-based Edge for Windows 10
- Researcher publishes Google Chrome exploit on GitHub
- First image surfaces of Google Chrome's upcoming Tab Groups feature
- Mozilla: Firefox to block cryptomining scripts hidden on websites by default
- Opera 60 released with a built-in cryptocurrency wallet
- Twelve years later: Firefox to add full protection against 'login prompt' spam
- What enterprises need to know about the new Chromium-based Edge TechRepublic
- Google's most secure login system now works on Firefox and Edge, too CNET