Are there any compliant mixed download implementations?

[hamishwillee]

The spec defines mixed downloads as (paraphrasing) "a download from a secure context over an insecure link". The spec says these should be blocked.

I tested downloading the image at https://mixed.badssl.com/ which is autoupgraded on chrome and FF127. This it is still an http URL so it becomes a mixed download if you try download it.

• On chrome you get a prompt telling you about the issue and asking if you want to download the image (It is possible that chrome would treat the "blockable content" types differently)
• On FF127 it just downloads

Do you know what the standards position is on this part of the spec is/if anything actually matches the spec?

This is for MDN docs https://github.com/mdn/content/issues/33592

[annevk]

It might be better to test <a href="[insecure]" download>.

It seems weird that if the image is auto-upgraded you'd still download the insecure variant. I would consider that an implementation bug.

[hamishwillee]

Thanks. It is not beyond the bounds of possibility my test is broken - I just opened the image in https://mixed.badssl.com/ and then did "SaveAs" on the tab.

Do you think a download test for <a href="[insecure]" download> would work from a localhost- served file? That's easier for me to set up than HTTPs.

[annevk]

https://software.hixie.ch/utilities/js/live-dom-viewer/?%3Ca%20href%3D%22http%3A%2F%2Fexample.com%2F%22%20download%3Etest%3C%2Fa%3E

[hamishwillee]

Thanks very much. As you say, it works. Compatibility data updated.