Firefox will now block downloads via http on https websites in version 93 by default. Downloads from sandboxed iframes are also blocked unless the iframe contains an attribute that allows downloads.
The moment Firefox 93 detects a download via http, a prompt will appear that allows the user to choose to download the file to be downloaded or cancel the process. This notification informs you that an insecure http connection has been detected and a ‘potential security risk’ exists.
“Using an insecure http connection, a hacker can modify or even replace downloadable files with malicious files,” it says on the Mozilla blog. “This can infect an entire system.”
Downloading files via sandboxed iframes is also blocked in version 93. These iframes often serve to embed third-party content on a website, but are also used to perform drive-by downloads, according to Mozilla. These types of downloads download unsolicited files to a user’s computer, often without requiring any interaction. That is disabled by default unless the specific iframe contains an attribute in its code that allows downloads.
Firefox 93 is rolling out to all users starting today.
Notification in Firefox version 93 on http download