Downloading files from HTTP sites soon won’t be possible in Chrome — why it matters

and image of the Google Chrome logo on a laptop
(Image credit: Shutterstock)

Google is working on a new security option for Chrome that will help prevent users from downloading potentially insecure files from HTTP sites in the browser.

For those unfamiliar, HTTP or Hypertext Transfer Protocol is a protocol used for transferring data over a network. While HTTP used to be the standard protocol for most sites, a growing number now use the more secure version of this protocol, which uses encryption called HTTPS (Hypertext Transfer Protocol Secure).

During the past few years, Google has bolstered Chrome’s security by marking older HTTP sites as “Not Secure” in the address bar of its browser. However, it also now blocks HTTPS sites from using insecure web forms or downloads that use HTTP instead.

Blocking HTTP downloads

Google has also added a toggle in Chrome’s security settings that tries to upgrade HTTP sites to their HTTPS version if a user accidentally navigates to an older webpage. Now though, the search giant plans to expand this toggle by also preventing Chrome users from downloading files from HTTP sites, according to 9To5Google (opens in new tab).

Based on a new code change (opens in new tab) and an explainer (opens in new tab), Google will block downloads from any website that's still using HTTP. However, Google is taking things a step further. For instance, if an HTTPS download link redirects a user to an HTTP server and then back to a HTTPS connection, Chrome will block the download as unsafe.

Just like with Chrome’s other warnings though, you will be able to bypass the block and download a file from an HTTP site. This is only worth doing if you know the site is legitimate and desperately need a particular file.

How to block insecure downloads in Chrome

Experimental flags in Chrome OS

(Image credit: Future)

Once Chrome’s new option to block insecure HTTP downloads is ready, it will first be offered as a Chrome flag before becoming generally available.

If you haven’t tested out Chrome flags before, they are essentially experimental features you can try out early by heading to chrome://flags in your browser’s address bar. However, as Google warns at the top of the Chrome flags page, enabling these features means “you could lose browser data or compromise your security or privacy,” so proceed with caution.

To block insecure HTTP downloads, you’ll need to search for and enable the Chrome flag #block-insecure-downloads and then restart your browser. Afterward, you’ll see a warning message anytime you try to download files from a site still using HTTP instead of HTTPS.

We’ll likely hear more from Google once this security option becomes generally available to all Chrome users.

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.