Forum Discussion

lexcyn's avatar
lexcyn
Steel Contributor
Apr 19, 2024

Mixed mode content download warning

After the recent update to v124 in Stable, all of a sudden we had a bunch of internal sites start throwing mixed mode content download warnings which blocked file downloads. I was able to bypass this by adding the download URLs into the "allow insecure content on specified sites" policy, but I can't find any information as to why this all of a sudden changed in the latest version. There was nothing in the changelog that I saw that would affect this. Any ideas? Has anyone else experienced this issue?


  • MSizec's avatar
    MSizec
    Copper Contributor
    Hi !
    same here, you're not alone !
    As you, we did not find any related modification in the v124 changelog.

  • SAPacker's avatar
    SAPacker
    Brass Contributor
    Its happening with the 124 version of Chrome also so looks its a Chromium bug
  • pjv4tx's avatar
    pjv4tx
    Brass Contributor

    lexcyn, thanks for your post! 

     

    We are finding what looks to be the same issue at our organization. Toward the end of last week (April 19th) users started reporting issues when trying to download routine reports, Excel, PDF, etc. 

     

    They're receiving a native Edge dialogue that states "This file can't be downloaded securely. Malicious attackers might be able to read or change insecurely downloaded files." I was scratching my head trying to figure out if something had changed in our browser/security policies. 

     

    I can also confirm adding affected addresses to the InsecureContentAllowedForUrls policy setting is functioning for us as a workaround right now. 

  • SAPacker's avatar
    SAPacker
    Brass Contributor
    Folowed by:
    Good day to you.

    At the moment we do not have any documentation from Microsoft that explicitly states that this is an intended change from Microsoft to provide enhanced security. And as for the wildcards, * is not an accepted value for this policy.

    You can refer to https://go.microsoft.com/fwlink/?linkid=2095322 for more information on formatting the URLs.

    Please feel free to reach out to us in case you have any questions.
    • lexcyn's avatar
      lexcyn
      Steel Contributor
      You can add wildcards as long as they are formatted properly like [*.]domain.com. This has saved us by allowing 90% of our current domain in the allow list while we deal with other individual domains that come up.
      • SAPacker's avatar
        SAPacker
        Brass Contributor

        That is what we ended up doing. Just dissapointed in the communication. Micorosft and Google could have sent this out weeks in advance so companies can get in front of it. Places like mine use change controls to which we just cant apply comany wide GPO's on the fly. It is what it is just highly unlike Microsoft to not have a write-up or a pre-emptive "hey haeds up"

    • pjv4tx's avatar
      pjv4tx
      Brass Contributor

      SAPacker, at my organization, we have found that formatting a URL for the InsecureContentAllowedForUrls does accept wildcards when formatted like the following: [*.]domain.net.

Resources