New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 589747
Owner: ----
Closed: Dec 14
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Feature

Sign in to add a comment

Security: Downloading a file using unencrypted HTTP on a HTTPs host doesn't show any warning/error to the user

Reported by, Dec 14 Back to list

Issue description

This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different

Please READ THIS FAQ before filing a bug:

Please see the following link for instructions on filing security bugs:

NOTE: Security bugs are normally made public once a fix has been widely


When the user visits an HTTPs website, Google Chrome already shows a warning when any of the assets on the website are downloaded via unencrypted HTTP (see Mixed Content docs

However this is not the case for file downloads when downloading a file from an unencrypted URL as part of a HTTP website.

This is a big problem, as anyone in the same network can easily do a man-in-the-middle attack to read & replace the content of the file.

**Steps to Reproduce:**
- Visit an HTTPs encrypted website, notice the green "Secure HTTPS" badge next the URL
- The user feels safe and thinks everything on this website is encrypted
- Click a download button for any kind of file, linking to an unencrypted HTTP URL

**Expected Results:**
The browser shows a warning or ideally an error that the download this website tries to trigger is unsafe.

**Actual Results:**
The download works just fine, giving no indication to the user that it happened over unencrypted HTTP.

Chrome Version: 62.0.3202.94 + stable
Operating System: macOS 10.12.6

The easiest way to test it, is to visit, modify the HTML DOM of the `Download SDK` button to use a HTTP URL instead of HTTPs, and click the `Download SDK` button afterwards.

Here is a video showing the problem in action:

Type of crash: none
Crash State: none
Client ID (if relevant): [see link above]

Components: UI>Browser>Downloads Security
Labels: -Type-Bug-Security Hotlist-HttpBad Team-Security-UX Type-Feature
Status: Available
This seems similar to, but specifically the concern of HTTP downloads as a form of "mixed content" as discussed in Comment 7 there. We are considering this as part of our broader "HTTPBad" project, but it we're not sure exactly how we would address this yet. I'm going to change this to be a feature request which we can track as part of that effort.
Components: -Security
Labels: -Restrict-View-SecurityTeam
Mergedinto: 589747
Status: Duplicate
I think this is effectively already tracked by 589747.
Perfect, thanks for the fast response

Sign in to add a comment