You can log this in DownloadManagerImpl::StartDownload() after calculating the |new_download| boolean. |new_download| is true if this is a new download (as opposed to a resumption attempt on an existing download).

Unfortunately, the referrer information is unreliable. So we can't always determine if the referring page (i.e. the initiator) was secure or not. We should have the tab URL which would be the URL of the top level document at the time the download was initiated.

Yea good point -- the initiator-security would be imprecise, but it'd give us a general idea at least.  The download-url's scheme would be reliable though, ya?

Yeah. We'd have a reliable redirect chain starting with the initially requested download URL until the final download URL.

Do we want to treat any redirect chain containing any non-secure component as a non-secure initiator? (That seems useful because that's probably what we'd eventually want to warn on)

#5: We can treat any download with an insecure URL in the redirect chain as an insecure download. That's what you meant, right? At the moment the initiator information is not sufficiently reliable for us to base a warning on it.

Ok, lacking a reliable initiator, I'll propose the following metric, just looking at the redirect/target URLs:

Download.TargetSecurity
  DOWNLOAD[_REDIRECT_][_TARGET]_INSECURE // 3 combos
  DOWNLOAD_SECURE // All are HTTPS
  DOWNLOAD_NON_HTTPX

A redirect/target is secure iff it's HTTPS, and insecure if it's HTTP.  If there are any non HTTPx in the either (data, file, ftp), we'll put it NON_HTTPX. 

If we could take a best guess at the initiator's security, we should log that to get a general idea of counts. Asanka: Would that be DownloadCreateInfo:: referrer_url, site_url, or tab_url? Or is it not worthwhile?

Let's do Download.TargetSecurity first. And after my download attribution is done, we can probably record Download.InitiatorSecurity more reliably.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/82b8e5071d4088fc18daf80f6f49047ef5a6ff5e

commit 82b8e5071d4088fc18daf80f6f49047ef5a6ff5e
Author: jialiul <jialiul@chromium.org>
Date: Fri Sep 30 17:42:42 2016

Record download target connection security state

As part of HTTP-bad effort, we want to learn about and then indicate the
insecure state of HTTP downloads. This CL add UMA metric to record the
connection security state of download target, indicating whether the final
resolved download url and the redirects before it are secure or not.

BUG=645521

Review-Url: https://codereview.chromium.org/2378333002
Cr-Commit-Position: refs/heads/master@{#422148}

[modify] https://crrev.com/82b8e5071d4088fc18daf80f6f49047ef5a6ff5e/content/browser/download/download_manager_impl.cc
[modify] https://crrev.com/82b8e5071d4088fc18daf80f6f49047ef5a6ff5e/tools/metrics/histograms/histograms.xml

Half done. 
I'll keep this bug open for now. After we fix the referrer chain, I will add more UMA metrics to indicate if the initiator is secure or not. 

Re-active this issue, since the new referrer chain work is done.
Just to clarify, does the initiator means "landing page"? Do we want to record the connection security status for redirects to landing page too?

+elawrence for interest and expertise in HTTP downloads

I added the "GoogleFirstBug" label to this issue, since the remaining implementation should be straight forward as long as we're clear what we want to track.