Mozilla is getting ready to introduce another significant change for Firefox users, as the company wants the browser to block insecure downloads by default.
The change is likely to happen in Firefox 92, and as reported by TechDows, it’s specifically aimed at mixed content environments.
In other words, Mozilla wants Firefox to prevent downloads that aren’t served from an HTTPS link, as there’s a chance users could end up getting a craft file that could pose a threat to their computers.
A mixed content environment uses both HTTPS and HTTP links, but more often than not, the downloads are served through HTTP. This means that while the connection itself is considered to be secured, the download is directed through an HTTP server, therefore leaving users vulnerable to potential exploits.
Firefox 92 will introduce a new default behavior, therefore blocking downloads that are served from HTTP. At this point, the Nightly builds of Firefox do allow users to turn off this setting, but most likely, Firefox plans to enforce this policy at some point in the future.
Firefox 92 is projected to land on September 7.
You can still skip the block
Needless to say, Mozilla wants the implementation to be as straightforward as possible, so when a download served via HTTP is blocked, you should see a warning displayed in the download panel, along with a message to provide additional information on what exactly happened.
“File not downloaded: Potential security risk. The file uses an insecure connection. It may be corrupted or tampered with during the download process. You can search for an alternative download source or try again later,” the message displayed after the download is blocked reads.
Users, however, will have the option to remove the file but to also allow the download should they trust the connection and therefore skip the block.