Learn about Microsoft Edge and mixed content downloads

This article explains mixed content downloads and how Microsoft Edge handles them.

Note

This article applies to Microsoft Edge version 85 or later.

What are mixed content downloads?

A mixed content download happens when you start a download from an HTML page that was loaded over a secure HTTPS connection, but one of the following conditions exists:

  • One or more of the download location's redirects was loaded over an insecure HTTP connection.
  • The final download location was loaded over an insecure HTTP connection.

Either scenario is a mixed content because the request was made using secure HTTPS and both HTTP and HTTPS content are involved in reaching the final download destination. Modern browsers display warnings about this type of content to indicate to the user that this download may be transferred insecurely even though the original page accessed was secure.

Download warnings and user options

The download warning ensures that users know that the file they're downloading could be read by malicious attackers on their network. This warning lets a user make an informed decision on whether to download the file.

In Microsoft Edge, mixed content downloads will be blocked but users can override and download the file if they want to. Microsoft Edge plans on starting to block mixed content executable file downloads starting with Microsoft Edge version 85 and will block different filetypes in future releases.

Note

Deployment of this feature is subject to change based on release schedule and user feedback.

In the download shelf, the block warning message looks like the example in the next screenshot.

Mixed content warning in download tray

On the download page, the block warning looks like the following screenshot example:

Mixed content override prompt

If a user decides to keep the download, they are prompted to confirm their action. The next screenshot shows an example of this confirmation prompt.

Choose Internet Explorer mode

Supporting policies

Enterprises that want to exclude mixed content blocking from specific websites can use the InsecureContentAllowedForUrls policy to do so.

Content license

Note

Portions of this page are modifications based on work created and shared by Chromium.org and used according to terms described in the Creative Commons Attribution 4.0 International License. The original page can be found here.

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

See also