Mozilla Firefox will also block insecure downloads on HTTPS pages
Mozilla is preparing to block insecure downloads that start in HTTPS pages in Firefox with the next major release. A similar feature rolled out to Google Chrome last year, and it’s usually referred to as mixed content download blocking.
The feature is designed to ensure that users know what to expect with the websites they’re downloading files from. When you visit an HTTPS page, you expect any information you share with the website to be secured while in transit. However, it’s possible for a website using HTTPS to link to regular HTTP websites, including for file downloads. A user could unknowingly connect to a website that’s more prone to attacks from third parties.
By blocking insecure downloads over HTTP that start on HTTPS pages, Firefox can let users know when they’re trying to download a file that could be tampered with during the process. This could result in a different file being downloaded instead of what was intended. However, users can choose to proceed with the download if they trust the website in question. You can see the warning in the image below.
The goal of the feature isn’t to block all HTTP downloads, however. If you’re visiting an HTTP page, downloads will work all the same. Additionally, direct links to file downloads pasted in the address bar will also work. As mentioned above, the goal is to make sure users know for sure they can trust a website and the files they download while using HTTPS.
According to references in Mozilla’s bug tracker, the feature is planned to be generally available with Firefox 92. That’s the next major update for Firefox, and it’s currently planned for September 7. It’s already available in experimental versions of Firefox, though, and you can also enable it in the stable release via a flag. Simply go to about:config and search for dom.block_download_insecure. Setting this value to true will enable mixed content download blocking.