Level 53
Content Creator
Malware Hunter
Google proposed the addition of automatic blocking of high-risk downloads from non-secure websites in future versions of its Chrome web browsers as revealed by a proposal from Google Chrome security engineer Emily Clark in the World Wide Web Consortium (W3C) public mailing list.

This means that users will no longer be able to download executables or archives delivered over an HTTP connection initiated from HTTPS websites because the Chrome web browser will tag them as mixed content and will automatically block them.

According to the Chrome engineer "We want to achieve the right balance between compatibility/user-disruption and security improvements, so we will likely start by treating certain high-risk downloads initiated from secure contexts as active mixed content and block them."

As detailed by Clark proposal, Chrome will flag "exes, dmgs, and crxs as executables, and zip/gzip/rar/tar/bzip/etc. as archives," with a full list of the targeted file types available HERE.

MIME types to be flagged as mixed content

File types to be flagged as mixed content

Clark said that "We're still finalizing our metrics before we can share them publicly, but right now it's looking like it will be feasible to block a set of high-risk filetypes (executables and archives as determined by the Content-Type header or sniffed mime-type)."