Downloading a file using unencrypted HTTP on a HTTPs host doesn't show any warning to the user

Originator:KrauseFx
Number:rdar://36039748 Date Originated:December 13 2017
Status:Open Resolved:Nope
Product:Safari Product Version:
Classification:Security Reproducible:Always
 
Summary:
When the user visits an HTTPs website, many browsers already show a warning when any of the assets on the website are downloaded via unencrypted HTTP (see Mixed Content docs https://developers.google.com/web/fundamentals/security/prevent-mixed-content/fixing-mixed-content)

However this doesn't apply to file downloads on either Google Chrome, nor Safari.

This is a big problem, as anyone in the same network can easily do a man-in-the-middle attack to read & replace the content of the file.

Steps to Reproduce:
- Visit an HTTPs encrypted website, notice the green SSL badge next the URL
- The user feels safe and thinks everything on this website is encrypted
- Click a download button for any kind of file, linking to an unencrypted HTTP URL

Expected Results:
The browser shows a warning or ideally an error that the download this website tries to trigger is unsafe.

Actual Results:
The download works just fine, giving no indication to the user that it happened over unencrypted HTTP.

Version/Build:

Configuration:

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!