Chrome blocks Bridgewater-Brunel downloads via links

[Matthew]

Today a new user tried to download the Simutrans-Extended package for Windows from Bridgewater-Brunel, but Chrome blocked him. If I understand Google's announcement correctly, this affects all http: downloads of .exe and .zip files from https: pages since late October.

Steps to reproduce

1. Open Google Chrome version 85 or later
2. Paste https://forum.simutrans.com/index.php/topic,16703.0.html into the Address Bar and go to it
3. Search for the words "can be downloaded in .zip format here" and click on the link in "here"
4. Nothing will happen.
5. Right-click on the link in "here" and choose "Save link as..."
6. You will see a message such as this:


Note that the problem occurs because forum.simutrans.com serves pages in https: and Bridgewater-Brunel does not. Links from any other https: site (such as Discord in the browser) will also fail.

I imagine this is already in Chromium too. Edge and Firefox plan to follow suit, but it seems that Edge's implementation gives you a pop-up allowing you to still download, which Chrome apparently does not. I would not be surprised if this affected HTML-based apps (such as the Discord client) in the future too.

Google's recommended solution is to upgrade Bridgewater-Brunel to use https, which will require a certificate (unless the VPS deal already includes one). The Let's Encrypt non-profit provides them free of charge. I don't know how to do that, but Isaac must.

Another solution is to move to distributing via GitHub. It does not really add any dependencies since GitHub is already essential to our development process.

A workaround is to edit all forum pages to change the instructions to cut-and-pasting instead of clicking on links. But I would not be surprised if Chrome eventually blocks http links altogether by the end of the 2020s. And of course, we can't stop people adding links on Discord and elsewhere.

[jamespetts]

Thank you for letting me know. It will take me a considerable amount of time to investigate the steps necessary to set up the server to use https and I will have to balance that with all the time necessary to spend on other matters. That would probably ultimately be the best solution, however.

As to distribution via Github, this has been discussed before; the amount of work necessary to set up CI builds there is likely to be extreme, and that is without taking into account the possibility of different toolchains for different platforms there resulting in losses of synchronisation between server and client, as currently occurs between a Visual Studio build and a GCC/Mingw build.

[prissi]

To make the server secure and use https (if it had not been enabled) is very easy with let's encrypt.

Follow these instructions and after about 20 minutes the server will have https support and self-renewing certificate. I did this on all my servers, and some were harder (since non standard https on different ports) but still relatively easy.

Code Select Expand


sudo apt-get install certbot
sudo apt-get install python-certbot-apache
certbot --apache


This installs the certificate downloader, turns https on on an apache webserver and make https first choice for pages. It will renew the certificate every 3 months. Work done.

[jamespetts]

To make the server secure and use https (if it had not been enabled) is very easy with let's encrypt.

Follow these instructions and after about 20 minutes the server will have https support and self-renewing certificate. I did this on all my servers, and some were harder (since non standard https on different ports) but still relatively easy.

Code Select Expand


sudo apt-get install certbot
sudo apt-get install python-certbot-apache
certbot --apache


This installs the certificate downloader, turns https on on an apache webserver and make https first choice for pages. It will renew the certificate every 3 months. Work done.

That is very helpful - thank you. I have now enabled this and amended the links on the download thread to HTTPS.

[Matthew]

To make the server secure and use https (if it had not been enabled) is very easy with let's encrypt.
... Work done.

This is a beautifully simple solution. Thank you, Prissi!

The fix was tested using the steps to reproduce above and works correctly.