Google Chrome engineers want to block some HTTP file downloads

Google wants to prevent some file types from being downloaded via HTTP when the website domain shows HTTPS.

New Chrome extension checks if username/password combo has been compromised Google releases "Password Checkup" Chrome extension on Safer Internet Day.

Google wants to block some file downloads carried out via HTTP on websites that load via an HTTPS URL.

According to a proposal the browser maker has put forward yesterday, only the download of certain "high-risk" file types will be blocked by default.

This includes EXE (Windows application binary), DMG (Mac application binary), CRX (Chrome extension package), and all the major archive formats, like ZIP, GZIP, BZIP, TAR, RAR, and 7Z.

These file types are considered "high-risk" because they are most likely to be abused to hide malware.

The idea, according to Google, is to block any of these files when the download takes place via an HTTP connection, even if the site the user is downloading the data from is loaded via secure HTTPS.

Google said it's currently not thinking of blocking downloads started from HTTP sites, since the browser is already warning users about the site's poor security via the "Not Secure" indicator in the URL bar.

The plan is to block insecure downloads on sites that appear to be secure (loaded via HTTPS) but where the downloads take place via plain ol' HTTP.

Emily Stark, the Google engineer who revealed Chrome's plans on the World Wide Web Consortium (W3C) mailing list yesterday, did so in order to ask other browser makers to implement a similar mechanism.

"I wanted to see if other browsers would be interested in joining us on this adventure," Stark said.

And Mozilla is.

"We are interested in exploring these ideas further in conversation with Google and other interested parties," a Mozilla spokesperson told ZDNet today. "The general idea aligns with the steps we have previously taken to protect users from insecurely delivered content."

According to Stark, Chrome engineers will focus on adding this feature to the browser's desktop version primarily. On Android, Chrome already works together with the Safe Browsing feature to block suspicious APK (Android package) files in a similar manner, according to Stark.

Article updated with comments from Mozilla.

More browser coverage: