Firefox will block insecure downloads on HTTPS pages

Slowly but surely, the web is mostly moved to use HTTP or HTTPS safely as default to explore web pages. However, there are still a few exceptions, especially when talking about content downloaded through web pages that should be safe. It’s no longer enough just to mark the webpage as “safe” but also the resources that come from them. Starting next month, Mozilla will follow in the trail of Chrome and will make Firefox block the download of the HTTPS page that comes from unsecured HTTP content.

Aggressive push to bring HTTPS to the front line may have one side efficient side effect. Most people might think security for safety, assume that everything on the HTTPS web page is safe. Technically, HTTPS only guarantees that the connection to the page is secured through encryption, but the content on or from the page can still be a fair game for hackers.

The danger is even greater when it comes to downloaded content that does not come from the same https page. Dubbed the “Mixed Content Download,” This brings the risk of HTTPS web pages that make connections without guarantees to HTTP resources, negating the benefits of the guaranteed webpage. The current web browser usually warns users about visiting non-https web pages but not about downloading from a connection without a guarantee.

Google began making changes to Chrome early last year, and Mozilla would follow the suit. Starting with Firefox 92, due on September 7, the web browser will block and warn the user when they try to download something through HTTP when they are on the https page. Of course, it’s not a hard block, and users can still choose to go through downloads with their own risk.

As shown by XDA, this new behavior only affects HTTP downloads on the HTTPS page. Download HTTP on the usual HTTP page won’t trigger a warning. In addition, attaching the HTTP download link directly in Firefox will also let it be normal.