Edge version 124.0.2478.51 causes issues with http pages

[German]Brief information for blog readers that Maksymilian has just pointed out to me. Microsoft's developers updated the Edge browser to version 124.0.2478.51 on April 19, 2024. However, this causes problems with (insecure) http pages and blocks downloads, for example. It's stupid when this happens on an intranet in a corporate environment. Incidentally, this also applies to the Chromium counterpart. But there is a workaround that Maksymilian provided me with (thanks for that).

Edge 124.0.2478.51 has issues with http

Microsofts Edge and Google's Chromium developers are always good for surprises. Edge version 124.0.2478.51 is intended to close various bugs and vulnerabilities. It also introduces some new features. Today Maksymilian contacted me by email and wrote:

Hello Günter,

I wanted to draw your attention to something that has been occurring since 19.4.24 with the latest Edge update version 124.0.2478.51:

Pages that still function as HTTP (often in companies as intranet pages) and users want to download files from them, this is blocked. Unfortunately, this was not mentioned in the changelog, but was uncovered by the frustration of the community.

Maksymilian provided me with several sources on the web where the problem is addressed. On Reddit.com you can find this post with the following content:

Edge 124.0.2478.51 PDF cant be downloaded. Since the newest update we cant download Pdf files which are viewed through the edge. If you can press the save button and it will start to download, but after that it will show you an error message that it cant be downloaded. Has anyone else this issue?

In this specific case, the affected person can no longer download PDF files with Edge 24.0.2478.51. The download starts, but there is an error stating that the file cannot be downloaded. Another user confirms this and writes that he also has this problem in his work environment. It affects file downloads from all internal http sites, although it is unclear whether all file types are affected or just a selection.

In the Microsoft Techcommunity there is a user post Mixed mode content download warning, which also deals with the issue. The affected person writes that after the recent update to Edge v124 Stable, he suddenly has the problem that a number of internal websites that issue mixed mode content download warnings and blocked file downloads. Someone wrote that it also affects the Chromium browser and posted this bug report on Google.

Workaround for the problem

Those affected in the reddit.com thread wrote that they hope to be able to solve the problem with a GPO change. Maksymilian included the link to the relevant Microsoft policy Control where security restrictions on insecure origins apply in his email. With this policy, administrators can specify permitted origins for legacy applications that cannot provide TLS. This involves specifying a list of sources (URLs) or hostname patterns (e.g. "*.contoso.com") to which the security restrictions on insecure origins do not apply.

This policy also prevents the origin in the omnibox from being marked as "Not secure". Setting a list of URLs in this policy has the same effect as setting the command line flag '–unsafely-treat-insecure-origin-as-secure' on a comma-separated list of the same URLs. When this policy is enabled, it takes precedence over the command line flag. Maybe it will help someone.

Problem with SSL inspection for https pages

German blog reader Dirk contacted me by email afterwards because he had read the article. He writes that problems have been occurring in his company environment since yesterday with https pages that are subjected to SSL inspection. This affects Chromium browsers, while it works with Firefox. The problem occurs randomly, writes Dirk and adds: "Strangely, we are currently only seeing it on Windows 10/Windows 11, but not on the server variants under Citrix with the same proxy and Edge version." Has anyone from the readership made similar observations?

A reader wrote to me on Facebook that he had also encountered the issue with SSL inspection on some clients – but not on all of them, despite the latest Chrome and Edge versions. The reader is still looking into why this is the case, but suspects that the enable-tls13-kyber flag in Chrome is the problem because it is now set to active by default. If you deactivate the option, the affected clients no longer have any problems.

Microsofts confirmation

Addendum: In an update to Edge Version 124.0.2478.67 from April 26, 2024, Microsoft confirmed the issue als accidental – and wrote:

Announcement: Insecure downloads over HTTP

Users that download potentially dangerous content on HTTP sites will receive a UI warning, (for example, "sample.exe can't be downloaded securely"). The user can still choose to proceed by selecting "Keep" on the downloaded item's "…" menu. Admins can also use the InsecureContentAllowedForUrls policy to specify HTTP sites where the warning will be suppressed. The warning's enablement in Edge 124 was accidental. We have reverted the warning in this Stable Release. Admins can use the InsecureDownloadWarnings feature flag to test the impact of this upcoming feature.

In a Note Microsoft wrote, that the warning is planned to be turned on in Microsoft Edge version 127.

Similar articles
New Microsoft timeline for the introduction of the Adobe Acrobat PDF engine in Edge Chromium
Microsoft Edge Bug CVE-2024-21388 allowed to install arbitrary extensions
Windows: Edge 123.0.2420.65 update from March 2024 unintentionally brings co-pilot app; no "spy function"