Firefox 61 will block FTP subresources
Mozilla plans to disable support for FTP subresources (subresource requests) in the stable version of Firefox 61. Firefox 61 will be released on June 26, 2018 to the stable channel according to the Firefox release schedule.
FTP subresource requests are made on web pages that are loaded in the web browser. This includes requests using script and iframe requests that point to FTP resources.
HTTP and HTTPS webpages may reference FTP resources just like other HTTP or HTTPS resources may be referenced. The referenced FTP resources may be used to load images from FTP locations or other content.
Firefox displays a warning in the browser's Developer Tools if webpages attempt to load FTP subresources in an iframe. The warning reads: "Loading FTP subresource within http(s) page not allowed (Blocked loading of FTP URL)".
The change won't block direct FTP links on webpages and Firefox won't block FTP addresses that users type or paste in the browser's address bar either.
Mozilla gives several reasons for the change; the most important is that FTP is not a secure protocol and that it should not be used anymore for that purpose because of that. Firefox should display mixed content warnings on HTTPS pages with FTP subresource requests but the same is not true for FTP subresource requests on HTTP pages.
Bleeping Computer suggests that compromised FTP servers are often used to distribute malware to user computers and that the loading happens via FTP subresources.
Google blocked the loading of FTP subresource requests in the Chrome browser in Chrome version 63 which the company released last year.
Mozilla Firefox and Google Chrome mark FTP connections as insecure in the address bar already to indicate that connections to FTP resources are not secure.
A Chromium bug listing revealed in 2015 that Google had plans to deprecate FTP support in the browser and Mozilla created a bug listing of its own around the time that referenced Google's decision. The browser makers have not acted yet but it is probably only a matter of time before FTP support is removed in its entirety from web browsers.
The most likely solution is that FTP links will then open in FTP or file transfer software programs that are available on the device.
Mozilla will introduce a new flag in Firefox 60 to disable FTP support in the browser.
Closing Words
FTP usage is at an all-time low, at least in web browsers. The move may impact some web offerings negatively but it should improve user security overall.
Now You: Do you use FTP?
I don’t use FTP but I do know people tend to use a browser that works for them in what they need it to do. Like Flash when you take that away or make it difficult to a average Joe to get something to work. They generally just use something else that does work. No matter if its safe, or the best practice. Probably why you still see browsers like Internet Explorer still hanging around in market shares because modern browsers have made saving the web from ourselves a priority. What’s more troubling is that Chrome with its domination of market share pretty much dictates what is acceptable and not acceptable these days. With the rest following in that path and users just accept that it must be correct because Google knows best, right?
One very good reason to not upgrade. What would Mozilla/Firefox block next time?
Mozilla/Firefox isn’t anymore a beacon of freedom.
Mozilla has become a pom-poms swinging Google Chrome fan-girly. The only category beside being a do-gooder which Mozilla is still fulfilling today.
FileZilla is not related to Firefox or Mozilla. It will not be affected by this change.
Up to now Filezilla 3.32 (64 bit).
Should I use not browser dependent standalone installed program FireFTP, the Java Based FTP Client AnyClient Web Edition or net2ftp?
Do you know maybe a better standalone installed program (With maybe even a portable version)?
Or should I go for a totally another way namely Croc:
Here’s my shameless plug of a new tool I’ve been looking at. Essentially it is the same as wormhole but it has no dependencies, you can just download it and run. It does encryption, too, and uses parallel TCP ports to transfer files as fast as possible (which is about as fast as all the other programs).
This solution ends up being ideal for geeks and non-geeks because its simple for me (I just download and run with the file as a flag) and its simple for the non-geek (he or she just downloads and run).
https://schollz.github.io/sending-a-file/#croc
A good move, FTP is like torrents better handled outside the browser.
Only a very simple user without any respect for features would say something like that.
It scares me every time that Mozilla – who once was all about giving users power is now happily collecting the same kind of simplicity fanatics like Chrome does.
Just because you can not understand and see no use in a feature like FTP – it does not mean it is bad and useless.
People like you really are a serious head-scratcher and a pain to endure!
Well @Kossan Nyx, Mozilla is still allowing you to manually enter and FTP address so you can still use FTP. If I were to use FTP on a more consistent basis, I prefer to use FileZilla anyway.
But you have to stop looking at the progression of browser simplicity as a bad thing. Power users are no longer a primary audience. They were a decade ago, because that’s all there were. There was not the heavy use of Android and iOS. In fact there are people that love using the Internet now, but never did then, because they never wanted to use “computers”. To such users, mobile phones are not computers (of course, you and I know better).
But most of the Internet is consumed on these mobile devices now. Desktop web browsing is no longer mainstream. So what is Google and Mozilla to do? Google sees their browser as a conduit of moving/syncing user content between the desktop and the Android environment, so they continue to engage that mobile audience. And Mozilla is losing their audience to Google because they were too slow in redirecting their efforts towards mobile. The masses don’t care about customization, add-ons or the like. They just want to engage easily on mobile.
Since when are features something that need to be “respected” by users? If my tape deck had a solenoid logic transport to start and stop the tape, I didn’t “respect” it – I was glad the tool was there to accomplish my task more easily, but that was the extent of it. Respect for features? What on earth is that? See the “simple” user (as you insultingly put it) wants to browse, run apps communicate and get on with their day. They’re not trying to be application UI architects by caring where tabs are located or whether they use a separate box for searches vs URLs. They just need the nuts and bolts. We should be so lucky to not be so preoccupied with such inane things.
You wrote “Just because you can not understand and see no use in a feature like FTP – it does not mean it is bad and useless.” – – – and you’re right, but I don’t feel that Jessica was trying to say you can’t be allowed that FTP feature. She just understood (in her own mind) why it was being deprecated. Nothing ran any deeper than that.
But also, you then have to be able to “understand and see use in a feature” like a simpler, bare-bones intercace. Many if not MOST Internet users prefer it – and by no means are these dumb people.
@Jody Thornton
Sorry if i am now going to crash your nice discussion here, but allow me to break into it and make my small attempt of a contribution.
All your rambling does not explain why it should not be possible to have both on board features for power users or simplicity (which is standard for fresh, just right now installed programs).
Changing times is not at all a good reason – it all depends on what developers prefer. If you want and are interested you can still focus on power user features combined with simplicity. Also – Just because you prefer a simple surface, does not mean it is best for everyone, and you only speak and argue (like so many other simplistic users) in a heavily biased way, seen from what you prefer and want. While most power users are willing that simple users have their native experience – as long as the power users can activate their own additional features in whatever for a way. No matter if it was in versions before Australis with just switching on some checkboxes or Australis.. with adding CTR or now after Australis with editing userchrome (which will go away also in the future as Mozilla sides only with simplistic users today).
Just telling you, even if i am using these days Chrome and have stopped being a power user, i acknowledge and support the ones with the opinion that it was just out of pure calculation and a the mind-set that all what counts is competing with the big ones which made Mozilla decide in the end to deprecate all their power users and their features.
I would even argue that “power user features” are not at all deprecated. There are only 2 kind of developers around – the ones who value those users and their demands or that ones who just have decided that more simplistic users are the only ones worthy of attention. And with all respect… If such a developer was previously supporting and and encouraging and then suddenly decided that it time to shifting their tides and even is not giving an apology to the users they once loved and preferred and instead just deprecating them and their needs… Well, i personally would call a team like that ruthless without appreciation for others.
We have on the one side developers (not only browser related) who are thinking that giving users more options and choice and a default simple setup out of the box (VLC player, XMPlay, Vivaldi, Falkon and more) is the right thing – developers which show that they care and value also not simplistic users only and are not interested in focusing on numbers, statistics or competing with others. Some of them even corporations – which normally think in a different way
and
We have on the other side developers who are interested in focusing on numbers, statistics or competing with others like Mozilla, Opera, Microsoft, Apple, Google and many more – some of them having from the beginning being focusing more simplistic users, and some of them – after getting influenced from others – have decided to “switch sides” – and giving their origin users not the tiniest bit of respect or the ones who have created themes and extensions for those developers.
Also, i am the best example that simple users are not all stupid. But the majority has no clue of how things work, they are unwilling to get in touch with other functions which they call bloat and useless and who are not at all understanding or acknowledging other users needs – and therefor demand most of the time… “Pull that bloat crap out of the product or i leave in xxx days” or something like that. There is a very high degree of simple users who are just plain jerks for their own (valid, from their own point of view) reasons, yet they still are jerks.
In the end, there is not only the kind of business and numbers mind-set around – but to think otherwise you must have respect and being open for alternatives – something which neither.. Opera or Mozilla are still doing.
@Vakarian wrote:
…. [All your rambling does not explain why it should not be possible to have both on board features for power users or simplicity (which is standard for fresh, just right now installed programs] ….
Well first it wasn’t rambling. I made concise points. Secondly, it’s not impossible to have both. But companies want to expend effort only when there is a reasonable return (whether that be money, or mileage made on goal achievement, whatever you’re trying to gain). So if you want to put your resources where the biggest bang or impact can be made, then you sacrifice in other areas to allow the extra manpower where you want it.
However, might it just be that Mozilla has realligned their own mission? Firefox started out as a crusade against the big, bad IE6. Now it’s to chase Google Chrome and try (or at least be seen) to attempt regaining market share.
@Vakarian wrote:
…. [Changing times is not at all a good reason – it all depends on what developers prefer. If you want and are interested you can still focus on power user features combined with simplicity. Also – Just because you prefer a simple surface, does not mean it is best for everyone, and you only speak and argue (like so many other simplistic users) in a heavily biased way, seen from what you prefer and want. ] ….
I was one of those that enjoyed customization, so you should not lump me in with simpler users at all. I just know how to look at both sides from a helicopter view, as opposed to being in a trench. I just became less passionate about some power user features that was all. I don’t prefer Quantum because it’s a simpler interface (if that were the case, I’d like Chrome too, which I don’t). The interface is still customizable to a great degree, as far as what I need. Hey I’d still like a status bar, but when I fully adopt Quantum, I know I can’t have it. It’s not that I favour such a situation. But I decide that other things are more important to spend energy on, so I just move on.
Also, when I speak of changing times, I’m putting myself in the company’s shoes, not mine. For companies, changing times may VERY WELL be a good reason to make changes. Marketing firms spend ooodles of hours and dollars following trends. If you were a Mozilla stakeholder, and you wanted to regain some of your lost market share from Chrome, what would you do? I wouldn’t chase the power user. There is no growth in that realm. It’s not so much that you cannot incorporate those power user features you desire. It’s that your focus is somewhat removed from the prize – the mobile user.
Anyway, you aren’t crashing my discussion. All points of view should be welcome. :)
The problem is, Mozilla can not gain all the Chrome users. Hell, i would be surprised if they actually would take away 5-10%. And i guess as both you and me know, for someone like Mozilla who wants the majority of Chrome users – as that is their mission… why battling the competition when not believing that you can’t crush them – such a number would be way too low for them, so more strikes against what’s left of customization – called by simple users bloat – will follow.
Anyway, i think – Seen from that point of view, that they only will get limited numbers which will not equalize the sum of the lost ones – Mozilla should review their decision – a little bit, for their own benefit – because as it can be seen, they can not win against Chrome.
Because, like it or not.. most people say why should be using a browser copy being better than being an original?
That is the very core reason why the number of Chrome users which will switch over to Firefox are very finite. It would have been better not to go fully confrontational against power users and their features, as Mozilla is losing a big amount of vocal people who advertised, supported, installed Firefox on other machines.
They almost fully have erased that private advertising machinery. Also that is a mistake.
I understand your point. Maybe did Jessica have in mind the following, to establish the comparison :
“The change won’t block direct FTP links on webpages and Firefox won’t block FTP addresses that users type or paste in the browser’s address bar either.”
“Firefox displays a warning in the browser’s Developer Tools if webpages attempt to load FTP subresources in an iframe.”
“Bleeping Computer suggests that compromised FTP servers are often used to distribute malware to user computers and that the loading happens via FTP subresources”
In these conditions a comparison to torrents seems to me viable, given the scope will, at least in a first period, limit the potential enemy to sub-resources in an iframe.
Should FTP be definitely banned afterwards that I’d consider it as over-reacting, especially if FTPS was to be included. FTP is still used by many of us for storage, banning it seems disproportionate to me… but, again, I’m not an expert.
You know, it actually is possible to pose a counterargument without resorting to irrelevant personal attacks. It’s more effective, too.
How many news pieces start with “Mozilla plans to disable”?
umm.. what about FTPS?
‘Mozilla gives several reasons for the change; the most important is that FTP is not a secure protocol and that it should not be used anymore for that purpose because of that. ‘
Can someone at Mozilla block HTTP too? It is not a secure protocol and that it should not be used anymore
HTTP is used by a large percentage of sites on the Internet. The number has to go down significantly before any move is made to block it.
I do use ftp, but not typically from a browser, and not nearly as much as in the old days.