In context: Google pushed for a more secure web by labeling all HTTP websites as 'Not secure' in Chrome 68 (July 2018). As websites transitioned to HTTPS, there still lays a risk of downloading tampered files from these secure websites as the content may rely on the older protocol for transmission. The company has now revealed a roadmap for its Chrome browser that will further tighten the noose around insecure downloads by completely blocking all such media when version 86 comes out in October this year.
The idea is to protect users' security and privacy, which becomes potentially at risk when "insecurely-downloaded programs" are swapped out for malware by attackers or when "insecurely-downloaded bank statements" allow eavesdroppers to peek through one's financial records, among other scenarios.
Google will eventually remove support for insecure downloads (non-HTTPS downloads started on secure pages) on Chrome and will begin displaying a warning message on the browser's console with version 81 coming out next month for desktop platforms (Windows, macOS, Chrome OS, and Linux).
Users will begin to see a warning for 'executables' in version 82, as such file types generally carry the most risk. Subsequent releases will cover more 'mixed content downloads' including zip files, disk images, documents, and multimedia over the coming months to "mitigate the worst risks quickly, provide developers an opportunity to update sites, and minimize how many warnings Chrome users have to see."
For mobile users (Android and iOS), Google says that the warnings will start to appear a bit late in version 83, given the platforms' "better native protection against malicious files." The delay will also give developers more time to update their sites accordingly.
To prevent users from seeing such warnings, developers would need to ensure downloads over HTTPS, while those looking to test the feature can enable the "Treat risky downloads over insecure connections as active mixed content" flag under chrome://flags/#treat-unsafe-downloads-as-active-content.
Since the warnings could prove annoying for Google's enterprise and education customers (usually working in an intranet environment), the company notes that Chrome's blocking functionality can be disabled on a "per-site" basis "by adding a pattern matching the page requesting the download" in the browser's policy.