Blocking high-risk non-secure downloads

Blocking high-risk non-secure downloads from Emily Stark on 2019-04-09 ([email protected] from April 2019)

Hi webappsec friends,

Over in Chrome land, we’ve been considering how to drive down non-secure
downloads, particularly high-risk ones like executables. We want to achieve the right balance between security improvements, so we will likely start by treating certain
high-risk downloads initiated from secure contexts as active mixed content
and block them. We’re not planning to focus on non-secure downloads initiated from
non-secure contexts at the moment, because users at least see the “Not
Secure” omnibox badge on those pages.

Source: lists.w3.org