Mozilla recently revealed that they will introduce a new feature in Firefox browser that will prevent users from downloading unsafe files in a mixed content environment.
Mixed content refers to a website that uses both a secure connection and an insecure connection.
This is an example of what Mozilla means by mixed content: a user visits a secure site that uses HTTPS, clicks on a link to start downloading the desired content, but the link points to a reso.urce that does not use HTTPS itself, but rather uses unsecured HTTP
Files downloaded over an insecure connection are likely to be tampered with by a man-in-the-middle in the network during transmission. The Firefox browser is scheduled to introduce this feature to block unsecured downloads from HTTPS sites as soon as Firefox 92 is released on September 7, 2021.
When users encounter this, instead of automatically downloading the file, Firefox will display a warning with a red exclamation point in the browser’s download panel and indicate that the file has not been downloaded because of a potential security risk.
Clicking on the arrows in the download panel allows you to view additional information and options for the file, and users can continue to download the file based on the prompts and their own judgment, or delete the file.
The download of the file is only blocked because of an unsafe connection, not because the browser detected that the file contains a virus or other malicious content. If users insist on downloading, it is best to scan the file with security software before running it to be sure.
Mozilla points out that according to statistics, about 98.5% of downloads currently use HTTPS, in other words, once this change is officially introduced in Firefox 92, it will not affect most users.
Google introduced the ability to block downloads in insecure environments in Chrome 86. Most Chromium-based browsers today block downloads from HTTP sources. In this case, users can also drop or keep the download, similar to how Firefox handles these downloads.
With Firefox’s patching of this feature, all major desktop browsers on the market now support this feature.