Do you really need to block ALL downloads since Firefox 93?

Inuya5ha — Thu, 09 Mar 2023 15:19:38 GMT

Recently I noticed 95% of my downloads being blocked by firefox with alarmist "CRITICAL SECURITY RISK DO NOT PROCEED YOUR DRIVE WILL BE ERASED AND YOUR BANK ACCOUNT EMPTIED" warnings solely based on the http origin of the file. As a web developer and UX designer I can't begin to describe how this policy is beyond absurd and wrong, the end user doesn't know nor care about the protocol used to transfer a file.

Simply put, the provisioning of HTTP/HTTPS protocol for downloads only matters to developers, enterprises and content providers, not the end-user. If Facebook, Hotmail, Download.com, Codecs.com or whatever site offers file download via HTTP with HTTPS navigation, kindly contact them to explain why this is a dangerous and hazardous practice that must be urgently terminated.

What percentage of your users currently have their files "modified or tampered with" during download, that justified this blocking to the general public? Give us a number please, no matter how small. Is it 0.00000000000000000000000000012%? I personally never had such problem in 35 years nor heard of anyone else either.

Could you be so kind to stop seeing security menaces when there is none, for a change? Idiotic policies such as this will only speed up the rate of Firefox usings moving to Chrome.

A more subtle way to adopt this unneeded policy would've been to show a small yellow warning icon next the downloaded file with a 10px sized label "Downloaded from http, potentially insecure in one-in-a-zillion cases", instead of blocking the file altogether.

Re: Do you really need to block ALL downloads since Firefox 93?

jscher2000 — Fri, 10 Mar 2023 07:15:53 GMT

@Inuya5ha wrote:
Recently I noticed 95% of my downloads being blocked by firefox with alarmist "CRITICAL SECURITY RISK DO NOT PROCEED YOUR DRIVE WILL BE ERASED AND YOUR BANK ACCOUNT EMPTIED" warnings solely based on the http origin of the file. As a web developer and UX designer I can't begin to describe how this policy is beyond absurd and wrong, the end user doesn't know nor care about the protocol used to transfer a file.

I assume you're joking about the message you're getting.

There is a hidden setting to turn off this feature, but as the web developer, you certainly can't assume a user will change this:

(A) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button accepting the risk.

More info on about:config: Configuration Editor for Firefox. Please keep in mind that changes made through this back door aren't fully supported and aren't guaranteed to continue working in the future.

(B) In the search box in the page, type or paste dom.block_download_insecure and pause while the list is filtered

(C) Double-click the preference to switch the value from true to false

Note that this error only occurs in the HTTPS-requests-HTTP context, similar to mixed active content blocking. A legacy site that still uses HTTP for the page itself isn't affected.

topic Re: Do you really need to block ALL downloads since Firefox 93? in Discussions

Do you really need to block ALL downloads since Firefox 93?

Re: Do you really need to block ALL downloads since Firefox 93?