Forum Discussion
Mixed mode content download warning
After the recent update to v124 in Stable, all of a sudden we had a bunch of internal sites start throwing mixed mode content download warnings which blocked file downloads. I was able to bypass this by adding the download URLs into the "allow insecure content on specified sites" policy, but I can't find any information as to why this all of a sudden changed in the latest version. There was nothing in the changelog that I saw that would affect this. Any ideas? Has anyone else experienced this issue?
Thanks for everyone's patience!
We have just posted an update in the Stable Release Notes. Please see:
Microsoft Edge release notes for Stable Channel | Microsoft Learn
-Kelly
- MSizecCopper ContributorHi !
same here, you're not alone !
As you, we did not find any related modification in the v124 changelog. - SAPackerBrass ContributorIts happening with the 124 version of Chrome also so looks its a Chromium bug
- lexcynSteel Contributor
SAPacker good to know.
Edit: I could not find a bug submitted for Chromium so I've submitted one here: https://issues.chromium.org/issues/336490879
- HanzelMan71Copper Contributor
We did not experience the issue with Chrome; just Edge. In fact, some savvier (is that a word?) users tried Chrome and it worked for them.
Good to know though in case it starts there too.
- pjv4txBrass Contributor
lexcyn, thanks for your post!
We are finding what looks to be the same issue at our organization. Toward the end of last week (April 19th) users started reporting issues when trying to download routine reports, Excel, PDF, etc.
They're receiving a native Edge dialogue that states "This file can't be downloaded securely. Malicious attackers might be able to read or change insecurely downloaded files." I was scratching my head trying to figure out if something had changed in our browser/security policies.
I can also confirm adding affected addresses to the InsecureContentAllowedForUrls policy setting is functioning for us as a workaround right now.
- SAPackerBrass ContributorSame with us
- HanzelMan71Copper ContributorSame here for Edge.
- SAPackerBrass ContributorFolowed by:
Good day to you.
At the moment we do not have any documentation from Microsoft that explicitly states that this is an intended change from Microsoft to provide enhanced security. And as for the wildcards, * is not an accepted value for this policy.
You can refer to https://go.microsoft.com/fwlink/?linkid=2095322 for more information on formatting the URLs.
Please feel free to reach out to us in case you have any questions.- lexcynSteel ContributorYou can add wildcards as long as they are formatted properly like [*.]domain.com. This has saved us by allowing 90% of our current domain in the allow list while we deal with other individual domains that come up.
- SAPackerBrass Contributor
That is what we ended up doing. Just dissapointed in the communication. Micorosft and Google could have sent this out weeks in advance so companies can get in front of it. Places like mine use change controls to which we just cant apply comany wide GPO's on the fly. It is what it is just highly unlike Microsoft to not have a write-up or a pre-emptive "hey haeds up"