Firefox 82: new automatic downloads protection

Martin Brinkmann
Sep 6, 2020
Firefox
|
13

Mozilla plans to introduce a new security feature in Firefox 82 that prevents the automatic downloading of files under certain circumstances.

The feature will block downloads that are initiated by sandboxed iframes, a technology that is used by sites and services to load embedded content such as advertisement or media on third-party sites.

The sandbox attribute of an iframe adds an extra set of restrictions to the content hosted by the iframe. Developers may specify certain allow parameters to allow actions such as popups or forms.

It is uncommon for sites to use sandboxed iframes to initiate downloads but most browsers don't block these downloads at the time. Google introduced the protection in Chrome 83 which it released in May 2020. Since Chrome is based on Chromium, most Chromium-based browsers have the protection implemented already or will have it in the near future. The company introduced support for Secure DNS in the same browser version.

From Firefox 82 on, automatic downloads that originate from sandboxed iframes will be blocked in the Firefox browser. Developers may specify the "allow-download" parameter to allow these downloads.

Depending on the configuration, downloads may be saved automatically to the system's downloads folder. Firefox may be configured to display a "save to" prompt whenever downloads are initiated in the browser; this prompt provides a layer of protection against unwanted downloads as it is possible to hit the cancel button to stop the download before it reaches the user system.

Just load about:preferences#general in the Firefox address bar, scroll down to the downloads section on the page that opens, and make sure that the setting is set to "Always ask you where to save files". The setting may be less convenient, as you will get a prompt each time you download a file in the browser, but it is better when it comes to security.

Firefox 82 will be released on October 20, 2020 according to the release schedule. The next stable version is Firefox 81; it will be released in September 2020.

You can check out the bug on Mozilla's bug tracking website for additional information.

Now You: is your browser configured to accept downloads automatically?

Summary
Article Name
Firefox 82: new automatic downloads protection
Description
Mozilla plans to introduce a new security feature in Firefox 82 that prevents the automatic downloading of files under certain circumstances.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Bobby Phoenix said on September 6, 2020 at 7:34 pm
    Reply

    I always have all my browsers set to “Always ask”. No way I want a website triggering an automatic download, and putting something somewhere I may not know about. Downloading without my knowledge is bad.

  2. Anonymous said on September 6, 2020 at 6:55 pm
    Reply

    Downloads

    2651: enforce user interaction for security by always asking where to download
    browser.download.useDownloadDir > false

    2652: disable adding downloads to the system’s “recent documents” list
    browser.download.manager.addToRecentDocs > false

    2653: disable hiding mime types (Options>General>Applications) not associated with a plugin
    browser.download.hide_plugins_without_extensions > false

    2654: disable “open with” in download dialog
    browser.download.forbid_open_with > true

    https://github.com/ghacksuserjs/ghacks-user.js/blob/master/user.js

    1. m3city said on September 7, 2020 at 8:48 am
      Reply

      Thanks. Thats great you can tweak everything in FF.

      1. Iron Heart said on September 7, 2020 at 11:36 am
        Reply

        @m3city

        Why would you even want to turn this off? Such downloads are oftentimes malicious.

        #firefoxadvertdebunked

      2. m3city said on September 7, 2020 at 10:11 pm
        Reply

        Well, personal preference I guess. 2651 true as I have download folder “under constant surveilance”. 2652 false (note that this way there is one more place where downloads – intended or not – are visible). Last one to false. Thats the way I’ve used to browser internet from 56kb/s times.

  3. Mothy said on September 6, 2020 at 5:10 pm
    Reply

    Don’t see much use for this as I honestly can’t recall the last time I’ve ever experienced an unexpected download (one I didn’t initiate) even when I used Internet Explorer for years. I suspect that may be due to using a blocking hosts file that blocks ad networks and known malicious websites at the OS level.

  4. computer said no said on September 6, 2020 at 9:42 am
    Reply

    How is this different from what firefox has always had which is a setting to ask where to download a file etc.If the download was uninitiated by the user then simply block or is there something i am missing here.

    1. Martin Brinkmann said on September 6, 2020 at 10:35 am
      Reply

      The main difference is that the download is blocked in first place; no download prompt, no automatic download depending on your configuration.

  5. Thom said on September 6, 2020 at 9:30 am
    Reply

    This looks great. Wonderful job, team Mozilla!

  6. Iron Heart said on September 6, 2020 at 8:20 am
    Reply

    Nothing to write home about, Chromium has it since May 2020. Good to see that Mozilla playing catchup has led to something pro-user coming out of it.

    1. Wood Brain said on September 7, 2020 at 12:06 am
      Reply

      > Nothing to write home about.
      Still writes… smh…

      1. Iron Heart said on September 7, 2020 at 8:20 am
        Reply

        @Wood Brain

        Deal with it.

    2. else said on September 6, 2020 at 12:34 pm
      Reply

      since march 2019 according to other news, then the browser side opt-in was removed in may, leaving only the websites “allow-download” opt-in. Details are a bit ambiguous though.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.