Firefox 82: new automatic downloads protection
Mozilla plans to introduce a new security feature in Firefox 82 that prevents the automatic downloading of files under certain circumstances.
The feature will block downloads that are initiated by sandboxed iframes, a technology that is used by sites and services to load embedded content such as advertisement or media on third-party sites.
The sandbox attribute of an iframe adds an extra set of restrictions to the content hosted by the iframe. Developers may specify certain allow parameters to allow actions such as popups or forms.
It is uncommon for sites to use sandboxed iframes to initiate downloads but most browsers don't block these downloads at the time. Google introduced the protection in Chrome 83 which it released in May 2020. Since Chrome is based on Chromium, most Chromium-based browsers have the protection implemented already or will have it in the near future. The company introduced support for Secure DNS in the same browser version.
From Firefox 82 on, automatic downloads that originate from sandboxed iframes will be blocked in the Firefox browser. Developers may specify the "allow-download" parameter to allow these downloads.
Depending on the configuration, downloads may be saved automatically to the system's downloads folder. Firefox may be configured to display a "save to" prompt whenever downloads are initiated in the browser; this prompt provides a layer of protection against unwanted downloads as it is possible to hit the cancel button to stop the download before it reaches the user system.
Just load about:preferences#general in the Firefox address bar, scroll down to the downloads section on the page that opens, and make sure that the setting is set to "Always ask you where to save files". The setting may be less convenient, as you will get a prompt each time you download a file in the browser, but it is better when it comes to security.
Firefox 82 will be released on October 20, 2020 according to the release schedule. The next stable version is Firefox 81; it will be released in September 2020.
You can check out the bug on Mozilla's bug tracking website for additional information.
Now You: is your browser configured to accept downloads automatically?
I always have all my browsers set to “Always ask”. No way I want a website triggering an automatic download, and putting something somewhere I may not know about. Downloading without my knowledge is bad.
Downloads
2651: enforce user interaction for security by always asking where to download
browser.download.useDownloadDir > false
2652: disable adding downloads to the system’s “recent documents” list
browser.download.manager.addToRecentDocs > false
2653: disable hiding mime types (Options>General>Applications) not associated with a plugin
browser.download.hide_plugins_without_extensions > false
2654: disable “open with” in download dialog
browser.download.forbid_open_with > true
https://github.com/ghacksuserjs/ghacks-user.js/blob/master/user.js
Thanks. Thats great you can tweak everything in FF.
@m3city
Why would you even want to turn this off? Such downloads are oftentimes malicious.
#firefoxadvertdebunked
Well, personal preference I guess. 2651 true as I have download folder “under constant surveilance”. 2652 false (note that this way there is one more place where downloads – intended or not – are visible). Last one to false. Thats the way I’ve used to browser internet from 56kb/s times.
Don’t see much use for this as I honestly can’t recall the last time I’ve ever experienced an unexpected download (one I didn’t initiate) even when I used Internet Explorer for years. I suspect that may be due to using a blocking hosts file that blocks ad networks and known malicious websites at the OS level.
How is this different from what firefox has always had which is a setting to ask where to download a file etc.If the download was uninitiated by the user then simply block or is there something i am missing here.
The main difference is that the download is blocked in first place; no download prompt, no automatic download depending on your configuration.
This looks great. Wonderful job, team Mozilla!
Nothing to write home about, Chromium has it since May 2020. Good to see that Mozilla playing catchup has led to something pro-user coming out of it.
> Nothing to write home about.
Still writes… smh…
@Wood Brain
Deal with it.
since march 2019 according to other news, then the browser side opt-in was removed in may, leaving only the websites “allow-download” opt-in. Details are a bit ambiguous though.