Chrome is blocking downloads? Here is why!
If you have upgraded the Google Chrome browser to version 86, released on October 6, 2020, you may have noticed that some file downloads don't work anymore in the browser. You click on the download link and nothing happens. Chrome does not display a notification and there is virtually no information that explains what is happening, or not happening in this case. A check of the downloads page of the browser does not even list the file.
The fact that nothing happens can be confusing to users, as the expectation is that the download should begin after clicking on the link.
Google announced in early 2020 that it will block content that is served via the insecure HTTP if the originating page uses HTTPS. The company decided to roll out the feature gradually by adding more and more file types to the blocklist. Executable files, e.g. .exe or .bat, are the first file types to be blocked, and the release of Chrome 86 put that block in place. Future versions of Chrome will block non-executable file types such as PDF, ZIP, or JPG files.
Chrome and most Chromium-based browsers display a notification in the download panel when a download is blocked because it is offered via HTTP. Users of the browser may discard the download or select the arrow-icon to select keep. Selecting keep saves the file to the download directory of the browser.
Additional information
There is only one option to find out if a download is blocked in Chrome, or if it is an unrelated problem, e.g. a server issue.
- Select Menu > More Tools > Developer Tools.
- Switch to Console in the Developer Tools interface.
- Chrome displays a red "Mixed Content" warning for downloads that it blocks. It displays "The site at HTTPS* was loaded over a secure connection, but the file at HTTP* was redirected through an insecure connection. This file should be served over HTTPS. This download has been blocked.
Below is a screenshot of such a message.
Now that it is clear what happened, it is essential to understand what your options are to download the file.
Right now, the easiest option available is to right-click on the download link and select "save link as". The download is executed when you do that.
Note that some download links, e.g. those powered by JavaScript, won't work with the right-click bypass.
There are other options, and it is possible that Google is blocking downloads via right-clicks as well in the future:
- Use a different browser for downloads. Most browsers will follow Google's implementation however and block insecure downloads. For now, a browser like Firefox, Internet Explorer, Brave, Vivaldi, the new Edge, or Opera all allow the download.
- Use a download manager. A program like Internet Download Manager, uGet, or Xtreme Download Manager will continue to download files from HTTP sources. Whether the plugins or extensions will pick up the download is another question though, as a blocked download may not be picked up anymore, but right-clicking, saving the URL and pasting it manually in the download manager should work regardless of the browser's blocking settings.
Closing Words
The blocked file types implementation lacks clarity and information. Users who don't know about the Developer Tools won't know why a file cannot be downloaded in Chrome. The right-click bypass may work for now, but it is not clear that it does and many users may not identify it as the sole option in Chrome to download blocked files. A clear warning, with the option to override, should be displayed instead, as users should be in control of the browser and not the other way around.
Now You: Blocking file downloads without notification, good thing to protect users or user unfriendly behavior?
Google sucks. They are literally evil now, just blocking harmless files that they don’t want. I had to use Pale Moon to download it. Google can go duck themselves!!
When I cannot download a complete bios update file for my motherboard and it seems that just started happening recently (since last windows update to 20H) and it seems to be caused by Microsoft, or Google, that’s a problem and frankly, the amount of time it takes to figure out what happened just pisses me off!! Maybe AMD had to change all of their files, or maybe they just don’t care. I do know if I use Download Manager, I can get those files in a useable and complete download. If anyone from Microsoft or Google is reading this – GFY!!
I tried the Developers Tools and saw No such Red Warning message, when SlimJet (chromium) failed to download a file.
See this link for example of the problem and the workarounds on SlimJet:
https://www.slimjet.com/en/forum/viewtopic.php?f=5&t=3015
Thanks Ty for your fix.
This is a pretty annoying decision, just wanted to do some youtube to mp4 downloading and the main sites’ download buttons stopped working. Thankfully the right click->save link as worked (for now) but I would’ve liked to actually know this change happened before going through this
Very frustrated here – trying to calm down from absolute anger.
ANY user feedback would have been nice. When I click a download button (or right click) and get no response other than a quick screen flicker … I lose my mind. I hammered on the download button about a dozen times. I ended up uninstalling all of my AV and malware protection software. I disabled all of Chrome’s security settings (or so I though).
I was ready to reinstall Windows 10, but tried Edge as a last-ditch attempt and it worked. Armed with the knowledge that this is 100% a Chrome flaw (it’s a flaw … even if by intentional design in which case it’s an out-of-touch programmer), I was fortunate enough to find this comment section.
chrome://settings/content/insecureContent “allow” whatever site you’re trying to download from.
I put myself in more danger by disabling my security settings and software than I would have by downloading a bad file.
Feedback. If you’re going to absolutely block something, for the love of mankind tell user what’s happening and give us a choice.
Took me an hour to figure out why I couldn’t download a new driver for my printer. This is just stupid and may make me leave Chrome.
none of the suggested browser extensions work.
I just spent an hour on the phone with a customer trying to download critical vaccination information from the Government of Canada website because when she clicked the link, it just did nothing. Yet worked on all her other devices (Apple). Wasn’t until I checked the Dev console that I found the problem. So no error, no indication to a regular user that it is blocked. Just silently failing. Way to go, Google. Once again you are using your monopoly to dictate how you believe the Web should work. I wonder how many other calls I’m going to get now? How much more time will be wasted? I’m struggling to think how this helps end user security. Malware can be distributed just as easily over HTTPS as it can be via HTTP. And if the file is being served over HTTP, regardless of whether the linking site is HTTPS, then that file’s contents aren’t (or better not be!) needing to be securely transmitted. At least it is not Google’s place to say whether or not they should be.
Version 88.0.4324.182 (Official Build) (64-bit) was released today, on Windows 10×64 (20H2) it no longer works to right click open in new tab as a work around. The tab opens with your file name in the URL but nothing happens. Works fine in FireFox, Brave and believe it or not Edge.
On my Windows 7 SP1 (x64) machine, I have FireFox as my preferred browser, when Chrome opens the new tab, it hangs on a white screen for a bit, after about 10 seconds, Windows prompted FireFox to open and up came the option to download, I had to click a link to open File Manager to download the file and it worked.
There’s a way to bypass the blocking or at least temperately till the next update and be aware it would put your system at more greater “risk”. anyway… head to chrome://flags and search for “downloads” then look for “Treat risky downloads over insecure connections as active mixed content” and Disable it then relaunch chrome.
F$#% google. they should not be dictating what I get to download or not. idgaf, if you’re dumb enough to download a virus then its better for you not to use a computer.
Blocking of download is not a good idea , it may affect google badly. People want to download many things from the internet stopping them from doing that may harm the google badly, people easily switch to other browsers
Chrome is as big a joke as Firefox.
I went to T-Mobile last night. Tried to refill my Pay-As-You-Go account. Firefox doesn’t even work with T-Mobile – can’t even login. Chrome does allow me to login. But then when I submit my refill, nothing happens. No notification of any kind. Why? Who knows? Then I tried to save the page showing my planned submission. Chrome can’t even use the Linux Save As dialog to show the pages saved previously, although it does save the page as shown by the openSUSE file manager.
This is ridiculous. Whoever is designing these browsers (and Web sites like T-Mobile) are complete and utter morons. It’s no wonder Firefox is losing users. It’s a miracle that Chrome has any. The morons at Google think they’re superior to everyone because they work at a big corporation. So they can’t be bothered to tell the user why the browser does anything, let alone something unexpected. Design decisions are made by all these browser developers on the basis of “this is our decision, get used to it or go somewhere else.”
There is a word for that sort of behavior.
“Whoever is designing these browsers … are complete and utter morons.”
That is unfair and rude. Those people are experienced professionals trying to create the best product for their employer’s customers.
Maybe some problem of non security content? Then this will be useful for you:
“Other simple solution to solve this issue is in all websites you are visiting:
Chrome configuration > privacy and security settings > web sites configuration > non secure content > add to allow > https://*
(It works like a charm, however it seems to be more secure to allow site per site.) Thanks again, @Martin. :]”
Chrome keeps getting worse every version. Hopefully other Chromium browsers don’t follow their rubbish.
Sorry, off-topic: how is WinXP code leak not news here?
You should clarify the wording in your article. When you say “The download is executed when you do that.” you REALLY mean to say:
The file is downloaded when you do that.
By saying “The download is executed”, it implies that if you are downloading an executable, it will automatically run. That is NOT the case, and an important point to make.
Garbage like this is why I use Pale Moon. That and the fact I don’t like “Gooble” tracking me.
That garbage from pale goons that keep spinning years old unsecure moozilla code might not track but deliver a nice malware bundled into their pale web browser straight from their compromised windoze servers they cannot secure by themselves.
You’re probably just a sheep that enjoys being fleeced by “Gooble,” Microsoft, Mozilla, etc,. regurgitating the same uninformed misinformation as others.
” Firefox follows closely what Chrome does, so that Google can enforce its policies on Firefox users too.”
Can you give me some examples of this? I want to archive some of the blunders Firefox is doing.
“Firefox forks should be used to limit the damage.”
Know any good forks. I was considering trying out PaleMoon.
Anyone know if this affects e.g. Chromium/Ungoogled Chromium?
It’s making me think of using an outdated browser version… maybe go back to when Chromium had trapezoid tabs, individual tab muting, and no blocked downloads (I know, it’s bad practice; maybe possible to mitigate with uBlock, Sandboxie and no saved passwords, only KeePass?)
What if you copy the hotlink and paste it in a new tab? I never encountered this, so I had no need to try it, but I guess it should work.
Or just go to chrome://settings/content/insecureContent and add an exclusion.
I’m guessing nothing will happen as it still treats the download as “unsafe”, I already removed Chrome so I don’t feel like downloading again just to check, but that’s my guess.
Google Chrome: Never used it, and never will. This kind of behavior on the part of Google is not to protect the end user, rather it’s to establish a precedent that will allow censorship of downloads. Just switch to another browser and tell Google to take a hike.
“Just switch to another browser and tell Google to take a hike.”
The problem is that while marketing itself as the independent alternative, Firefox follows closely what Chrome does, so that Google can enforce its policies on Firefox users too. Firefox forks should be used to limit the damage.
I am not doubting your claim that Firefox follows closely what Chrome does but can you give a few examples? I would really like to know.
Also which Firefox fork do you recommend? I am looking for a new browser that is similar to FF for my win7 machine.
“The problem is that while marketing itself as the independent alternative, Firefox follows closely what Chrome does, so that Google can enforce its policies on Firefox users too.”
Can you provide some examples of Firefox following Chrome closely? I want to know these things so that the next time I talk to a FF fanboy I will bring them up. I only know about the FF android fiasco (extension support and about:config removal).
“Firefox forks should be used to limit the damage.”
Can you recommend any good one for a win7 machine? I was thinking of trying Palemoon.
I’ve been using Pale Moon for about a year now. Works great and I can even use legacy Firefox extensions. I have had absolutely no security problems.
Just right-click on the file to download and select ‘save as’
Other simple solution to solve this issue is in all websites you are visiting:
Chrome configuration > privacy and security settings > web sites configuration > non secure content > add to allow > https://*
(It works like a charm, however it seems to be more secure to allow site per site.) Thanks again, @Martin. :]
“Blocking file downloads without notification” – ANYTHING w/o notification is the worst UI scenario. Every user action has to have some system response, that’s dialog design basics since decades.
But I’m sure that this will be fixed soon (I would not expect an option to override though).
> I would not expect an option to override though
You can override it (allow insecure content) if you go to chrome://settings/content/insecureContent
This override option worked perfectly. Thank you
I was unable to listen a stream (online) radio for weeks in Chrome and I didn’t know how to solve the problem. After reading this article I found the solution because it’s the same problem as the described here: stream was http over https web. However, the solution is simple: you should add the entire web to exclusions of secure content. Privacy and security settings > website configuration > security content (at the bottom of all options) > add page to allow (exclusion) = it’s solved. Thank you @Martin for this useful article, it gave me the idea of how to solve my stream radio problem. :]
“version 86, released on September 6” – Wrong month ?
Fixed, thanks Jim!
Has anyone else noticed that color registration is off in the latest Chrome? For instance, yellow comes out as a yellow-green shade.
They should have put a switch button in Settings that allows you to easily turn this off if you know what you’re doing. The fact that you have to disable/enable a flag in about:flags means that they can easily remove the flag and leave you with tied hands and not being able to do anything other than either stick to an old version of Chrome and not update (insecure) or move to another browser.
I hope other Chromium browsers, at least Vivaldi or Brave don’t follow suit and even 1-2 years from now this is not even an issue for them, but I can see Microsoft doing it with Edge.
There is a “switch”, it’s here: chrome://settings/content/insecureContent
Only one sensible option: ditch Chrome. Should do that anyway. Plenty of good alternatives.
I unistalled it about 18 months ago. Felt food when I did it, and nothing has happened since to change my mind.
Yeah it happened to me the other day and I was clueless. Thanks for the explanation. Switched to Vivaldi for main browsing. Chrome team is full of jerks forcing behaviors often. No options kept for end users.
I can’t help thinking that this level of ‘end user protection’ security may help Firefox get a little more traction.
Why is the computer industry focused on making ‘bottom-feeders’ safe online. Surely everyone needs to learn how to check their downloads for malware no matter whether the source is download via Chrome, Firefox, mail attachment or some other source! “We protect your online safety”. Pigs … they do. The best they do is create a false sense of security.
The increasingly missing overrides even for advanced users and lack of proper information on what is going on show that the security of what you call “bottom feeders” is not their main concern here.
For instance mobile Firefox was now released without any way to disable Google download and browsing protection for advanced users. Google gets to know what you download and can track specific sites. They can also block whatever download or site they want and you can’t do anything about it, bottom or top. Pigs indeed.
Concerning for sure. Let’s just all agree that corporations with no accountability should not be trusted, we should not expect them to have our interests at heart. Mozilla was once a different entity but it has slowly descended to what we have before us now. They are perhaps beyond redemption now because the wheels have been in motion for so long at this point.
“Surely everyone needs to learn how to check their downloads for malware”.
In 2019, there were an estimated 2.6 billion users using Chrome as their browser. You are volunteering to teach the 2.5999 billion ones who “need to learn” ?
Is it really bottom-feeder vs. normal user ?
Or normal user vs. geek ?
You miss the main point. People need to learn basic precautions. It is not about somebody else doing it for you or teaching you how to do it. You know the risk. You need to learn how to look after yourself.
I don’t miss the main point.
You do not decide what people need to learn. People may not know the risk or they may know the risk and do not care.
“You need to learn how to look after yourself” – I don’t. I worked in IT security for a decade. That’s how I know that most users do not learn basic precautions.
I agree with you entirely on that thought. People do need to learn the basic precautions. People do need to learn how to look after themselves but this is the problem, companies like google put us all into a handbasket and force such measures upon us all because of a few bad apples.
Maybe Google should prompt users upon installation which version to install, the baby, hold your hand version or the normal average user that way they can also implement all the rubbish features such as this on the crayons and finger paints version and all the advanced features that a normal user would expect and more on the targeted version. It’s never going to happen though because Google wants this, they want to have all the control and dictate to people. Mircrosoft are pretty much the same also.
“Google wants … to have all the control and dictate to people.”
On the contrary !
Google invests (together with Apple) the far most money and efforts to find out what their user want.
This is the equivalent of a person refusing to get a valid drivers permit and then demanding that the roads and road rules be changed to accommodate them which is fairly typical these days but doesn’t make it right at all.
The easiest solution by far is to stop using google for your browsing needs (you would be doing yourself a favor anyway). Just because they foisted their garbage upon you many years ago by bamboozling you to download and install their browser many years ago along with their toolbar does not mean you should continue to use them. There are other similar options such as ungoogled-chromium, brave, vivaldi to name a few that may not have such restrictions in place.
There is nothing particularly brilliant that makes Google Chrome better than the rest anyway.
I don’t expect anything I say would resonate with anyone here in particular because the people that should be hearing this wouldn’t be visiting this site anyway because that would imply they are applying themselves to learn something to perhaps even somewhat enhance their web experience and abilities.
Carry on everyone.
Have a great day.
Stop using google only to support insecure downloads ?
Nobody foisted their garbage upon me and Chrome is no garbage.
Other options such as ungoogled-chromium, brave, vivaldi may be similar, but what makes Google Chrome better than the rest is that it will be there next year, while your options have the tendency to disappear in the geek+nerd-nirvana.
Just because idiots have shifted the line doesn’t mean people are geeks. I don’t even consider myself a geek by your terms because there are far more intelligent people out there than me.
That truth is people have been lulled into this garbage by the likes of schmucks like google which also have an agenda at hand to have a walled garden and total control in similar fashion to apple.
I would say browsers like firefox have been hijacked by a bunch of morons and its also headed down the baby path of lets pander to every boneheaded moron that usually will call their “friend” or unfortunate family member which happens to be their free on call 24hr techie because they haven’t bothered to learn a single thing in their entire time on the internet… It’s the “I just use the blasted thing” generation followed by the “you need a degree to use these things”.
I do feel like computers should be accessible but at some point you have to apply yourself to learn how to do things because I tell you what, your brother, son, daughter, friend etc etc that you come to for all of your computer needs will gradually get fed up of you and won’t even want to see you out of fear of being used again and again. It’s not the ignorance but the laid back stupidity and unwillingness to learn is what puts it over the edge. companies like google and apple are a huge part of the enabler problem.
These are not normal people by any stretch.
I am a computer scientist.
Once more: Normal people don’t give a f*** about “http downloads on https pages”.
And, I know it’s useless, but anyway: Google has no agenda.
I’m quite sure ransomware / malware actors can do https for their fake pages and infected downloads. I guess what Google intents to do here is a mix of security and privacy improvement. In other words, not downloading stuff that can be seen or change during transit.