Firefox 92 to block downloads over an insecure connection

Mozilla plans to launch Firefox 92 during the first week of September 2021. One of the changes in the upcoming release is additional download protections. Firefox 92 will follow Google's recent improvements that make sure a browser warns users about potentially unsafe downloads over an insecure connection.

Once Firefox 92 is out, the browser will warn users if an HTTPS-based website tries to download a file using the unprotected HTTP protocol. HTTPS makes sure the traffic is encrypted, which prevents "man-in-the-middle" type of attacks. Users consider HTTPS websites secure, so they might not pay attention when a page tries to download an object using the HTTP protocol. Of course, the mere use of HTTPS does not mean a website is safe, and downloads are harmless, which means common sense is still required to keep a computer away from malware. That is one of the reasons why Google considers replacing the lock icon in the Omnibar with a regular arrow-down button.

It is worth mentioning that Mozilla does not want to prevent users from downloading any files over HTTP. When faced with a warning prompt, users will have an option to override the message and allow downloading, assuming they trust the source and understand the risks (using regular HTTP potentially lets bad actors modify download during delivery). Also, Firefox will not block downloads if you paste a link to a file directly into the address bar.

Besides allowing users to override the download warning, Mozilla offers an option to disable it altogether. To do so, go to about:config and turn off the dom.block_download_insecure option.

You can read more about mixed content download blocking in Firefox 92 on the Bugzilla website. According to Mozilla's plans, Firefox 92 will be released on September 7.

Support us

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options: