Forum Discussion

lexcyn's avatar
lexcyn
Steel Contributor
Apr 19, 2024
Solved

Mixed mode content download warning

After the recent update to v124 in Stable, all of a sudden we had a bunch of internal sites start throwing mixed mode content download warnings which blocked file downloads. I was able to bypass this...
SAPacker's avatar
SAPacker
Brass Contributor
Apr 25, 2024

That is what we ended up doing. Just dissapointed in the communication. Micorosft and Google could have sent this out weeks in advance so companies can get in front of it. Places like mine use change controls to which we just cant apply comany wide GPO's on the fly. It is what it is just highly unlike Microsoft to not have a write-up or a pre-emptive "hey haeds up"

lexcyn's avatar
lexcyn
Steel Contributor
Apr 25, 2024
Completely understandable. Thankfully we are agile enough to respond to things like this very quickly, but having zero communication from Google or Microsoft on this change is unacceptable. At the very least, a single line in the changelog would have saved us hours of troubleshooting and downtime.
  • pjv4tx's avatar
    pjv4tx
    Brass Contributor
    Apr 25, 2024
    Has this been confirmed as an actual change and not just a bug? I was still thinking this is something that will be patched and not a new normal...has anyone heard something different from MS or elsewhere?
    • SAPacker's avatar
      SAPacker
      Brass Contributor
      Apr 25, 2024
      Not a bug just bad communication. I expect from Google but Microsoft is usually pretty good at getting the info out before hand.
      • lexcyn's avatar
        lexcyn
        Steel Contributor
        Apr 25, 2024

        FYI - from Google (Chromium):

        Hi there,

        I do not believe that this is a regression -- none of the code involved has changed meaningfully in several releases, and the current behavior is working as intended.

         * ExemptDomainFileTypePairsFromFileTypeDownloadWarnings permits allowlisting individual extensions from "file type" warnings (e.g. "be careful, this is an executable!").
         * InsecureContentAllowedForUrls suppresses warnings that stem from the download being delivered over an insecure connection (i.e. not HTTPS).

        Those warnings are distinct, and their methods for suppressing them are distinct. You might want, for instance, to permit insecure downloads from an intranet page, but that page should still not be serving executable files. Or perhaps you're not worried about apk files, but insecure sites still pose a risk.

        As a result, I'm closing this as WontFix. If there was differing behavior, that's likely a bug in the prior behavior (versions prior to 124).

    • lexcyn's avatar
      lexcyn
      Steel Contributor
      Apr 25, 2024
      Apparently it was not a bug and this was a change made on purpose with no communication. Officially it was "Insecure download warnings feature is now enabled by default".

      I've heard rumblings they may roll it back but IMO the damage is done, may as well start implementing the new policy regardless.