Slowly but surely, the Web has mostly moved to use secure HTTP or HTTPS as the default for browsing web pages. There are still a few exceptions, however, especially when talking about content that is downloaded via those supposedly secure web pages. It’s no longer enough just to mark web pages as “secure” but also the resources that come from them. Starting next month, Mozilla will follow in Chrome’s footsteps and will make Firefox block downloads on HTTPS pages that come from unsecured HTTP content.
The aggressive push to bring HTTPS to the forefront may have one unfortunate side-effect. Most people might mistake security for safety, presuming that everything on an HTTPS web page is safe. Technically speaking, HTTPS only guarantees that the connection to the page is secured through encryption, but the content on or from the page can still be fair game for hackers.
The danger is even greater when it comes to downloaded content that doesn’t come from the same HTTPS page. Dubbed as “mixed content downloads,” this brings the risk of HTTPS web pages creating an unsecured connection to an HTTP resource, negating the benefits of that secured web page. Web browsers today normally warn users about visiting non-HTTPS web pages but not about downloading from unsecured connections.
Google started making changes to Chrome earlier last year, and Mozilla will be following suit. Starting with Firefox 92, due on September 7th, the web browser will block and warn users when they are trying to download something via HTTP when they are on an HTTPS page. Of course, it isn’t a hard block, and users can still choose to go through with the download at their own risk.
As XDA points out, this new behavior only affects HTTP downloads on HTTPS pages. HTTP download on regular HTTP pages won’t trigger the warning. Additionally, pasting an HTTP download link directly in Firefox will also let it go through as normal.