
The downloads served over the insecure connection on HTTPS websites to be treated as mixed content and blocked by Chrome browser. The change has been rolled out 50% to Dev and Canary users, but as of now, it has been put on hold.
Google is looking to block insecure downloads “initiated from secure contexts as a form of active mixed content”. The planning is to initially apply this to high-risk file types such as .exe on desktop.
The flag available with name “treat risky downloads over insecure connections as active mixed content” tells more about it”. The experimental feature when enabled, “disallows downloads of unsafe files (files that can potentially execute code), where final download origin or any origin in the direct chain is insecure if the originating page is secure”.
If you initiate an executable file download on a secure website and if it gets downloaded over an insecure connection, then that download will be blocked and the information will be displayed to user in Devtools with Mixed content error with a message:
“The site at ‘https://example.com/1.html was loaded over a secure connection, but the file at ‘http://site.com/x.exe’ was redirected through an insecure connection. This file should be served over HTTPS”.
The feature to be integrated into the Chrome download manager and has nothing to do with Google safe browsing. A CL landed in May to modify DownloadTargetDeterminer state machine to “add a call out to its delegate to check whether the download should be blocked. This happens initially after the initial download path is determined. but before a user might be prompted this will be eventually used to block downloads as active mixed content”
Related articles:
Chrome Canary: Safety Tip Experiment triggers suspicious Behavior warning for Legitimate Sites