
Google Chrome to block file downloads over HTTP - AndrewDucker
https://www.theregister.co.uk/2020/02/07/google_chrome_blocking/
======
heartbeats
And in ten years, I'm sure they'll ban HTTP altogether.

This is unacceptable, IMHO. I was trying to use a site with misconfigured HSTS
the other day, and it wouldn't let me. No override, no nothing. That's just
offensive. If it gives me a warning, fine. But when it outright tells you, "no
I know better than you and I'm going to be smug about it," then this has gone
too far.

Browsers are "user-agents," meaning they act on behalf of the user. If they do
not do this, they are not browsers anymore.

~~~
jxcl
This is the documented standard behavior [1]. You’ll find all conforming
browsers do this.

[1]:
[https://tools.ietf.org/html/rfc6797#section-12.1](https://tools.ietf.org/html/rfc6797#section-12.1)

~~~
AndrewDucker
That makes total sense.

"If a web application issues an HSTS Policy, then it is implicitly opting into
the "no user recourse" approach, thereby all certificate errors or warnings
cause a connection termination, with no chance to "fool" users into making the
wrong decision and compromising themselves."

------
crazypython
Bad title. Should be "Google Chrome to block HTTP file downloads on HTTPS
origins."

~~~
blinotz
This matters. I was mad at chrome till I read this comment.

