Firefox will block insecure downloads soon by default

Mozilla's Firefox web browser will block the download of insecure files soon in mixed content environments.

Mixed content refers to sites using secure connections and insecure connections. Imagine the following scenario: you visit a secure site that is using HTTPS and start a download by clicking on a link. The linked resource is not on a HTTPS resource, but on a HTTP resource; this is what mixed content in the context of downloads refer to.

Files that are transferred via insecure connections may be tampered with, for instance by other actors on a network.

Firefox will block insecure downloads that originated from HTTPS sites soon, likely in Firefox 92, which will be released on September 7, 2021.

Firefox won't download the file in this case automatically; the browser displays a warning in the download panel -- File not downloaded. Potential security risk -- with a red exclamation mark icon.

A click or tap on the download in the panel opens additional information and options.

Firefox users may allow the download using the prompt that opens or remove the file.

The blocking happens only because of the insecure connection, not because the file has a virus or other unwanted content. It may still be a good idea to run the file through a virus scanner or service such as Virustotal to make sure it is clean and likely without danger.

Firefox 92 comes with a preference switch that controls the behavior. It can be turned off to restore the previous downloading behavior:

1. Load about:config in the Firefox address bar.
2. Confirm that you accept the risk.
3. Search for dom.block_download_insecure.
4. Use the toggle icon to set the value to
   1. TRUE: to keep the security feature enabled.
   2. FALSE: to disable the security feature.

Mozilla notes that about 98.5% of all downloads in Firefox Nightly use HTTPS. In other words: 15 in 1000 downloads will be blocked once the change lands in Firefox Stable, provided that the percentage value is about the same.

Google introduced the blocking of downloads in an insecure context earlier this year in Chrome 86. Most Chromium-based browsers block downloads from HTTP sources if the originating page uses HTTPS. Chrome displays a notification in the download panel if a file cannot be downloaded because it originates from a HTTP server. Chrome users may discard or keep the download, similarly to how Firefox handles these downloads.

Closing Words

HTTP downloads that originate on HTTPS pages will be blocked by default; users do have the option to override the blocking and to disable the security feature entirely.

Firefox will block insecure downloads soon by default