Mozilla’s Firefox browser is set to block the downloading of insecure files in mixed content environments.
Mixed content occurs when websites use a combination of secure (HTTPS) and insecure (HTTP) connections. For example, when you are on a secure site and initiate a download that comes from an insecure source, it creates a mixed content situation.
Downloading files via insecure connections can pose risks such as potential tampering of the files by third parties on the network.
The upcoming Firefox version, likely Firefox 92 scheduled for release on September 7, 2021, will automatically block insecure downloads originating from HTTPS sites. Instead of initiating the download, the browser will show a warning in the download panel indicating a security risk with a red exclamation mark icon.
Users will have the option to either allow the download after seeing the warning or remove the file altogether.
It’s important to note that the blocking is due to the insecure connection and not because the file contains malware. However, it’s still recommended to scan downloaded files using antivirus software or services like Virustotal to ensure they are safe.
Firefox 92 will include a preference setting that allows users to control this behavior. Users can disable the security feature by following these steps:
- Enter about:config in the Firefox address bar.
- Acknowledge the warning prompt.
- Search for dom.block_download_insecure.
- Toggle the value to
- TRUE: to maintain the security feature.
- FALSE: to deactivate the security feature.
Mozilla reports that nearly 98.5% of downloads in Firefox Nightly are done through HTTPS. This means that approximately 15 out of 1000 downloads may be blocked once the feature is implemented in the stable version of Firefox.
Google had introduced a similar blocking mechanism earlier in Chrome 86, where downloads from insecure sources were blocked if the webpage used HTTPS. Chrome notifies users in the download panel when a file cannot be downloaded due to its HTTP source, giving them the option to proceed with the download or cancel it, similar to how Firefox will handle such cases.
Final Thoughts
Default blocking of HTTP downloads originating from HTTPS pages will give users added security. However, users will have the flexibility to bypass this blocking and disable the security feature if needed.
Image Source: Pixabay