{"id":2320,"date":"2018-05-07T23:13:52","date_gmt":"2018-05-08T06:13:52","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2320"},"modified":"2018-05-07T23:13:52","modified_gmt":"2018-05-08T06:13:52","slug":"blocking-ftp-subresource-loads-within-non-ftp-documents-in-firefox-61","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2018\/05\/07\/blocking-ftp-subresource-loads-within-non-ftp-documents-in-firefox-61\/","title":{"rendered":"Blocking FTP subresource loads within non-FTP documents in Firefox 61"},"content":{"rendered":"<p>Firefox 61 will block subresource loads that rely on the insecure FTP protocol unless the document itself is an FTP document. For example, Firefox will block FTP subresource loads within HTTP(S) pages.<\/p>\n<p>The File Transfer Protocol (FTP) enables file exchange between computers on a network. While this standard protocol is supported by all major browsers and allows convenient file sharing within a network, it\u2019s one of the oldest protocols in use today and has a number of security issues.<\/p>\n<p>The fundamental underlying problem with FTP is that any data transferred will be unencrypted and hence sent across networks in plain text, allowing attackers to steal, spoof and even modify the data transmitted. To date, many malware distribution campaigns rely on compromising FTP servers, downloading malware on an end users device using the FTP protocol. Further, FTP makes <a href=\"https:\/\/infosec.mozilla.org\/guidelines\/web_security#HTTP_Strict_Transport_Security\">HSTS<\/a> protection somewhat useless, because the automated upgrading from an unencrypted to an encrypted connection that HSTS promises does not apply to FTP.<\/p>\n<p>Following through to our <a href=\"https:\/\/blog.mozilla.org\/security\/2015\/04\/30\/deprecating-non-secure-http\/\">intent to deprecate non-secure HTTP<\/a> and aligning with Mozilla\u2019s effort to improve adoption of HTTPS Firefox will block subresource loads, like images, scripts and iframes, relying on the insecure FTP protocol. Starting with Firefox 61, loading an FTP subresource within a non-FTP document will be blocked and the following message will be logged to the console:<\/p>\n<p><a href=\"https:\/\/blog.mozilla.org\/security\/files\/2018\/05\/blocking_ftp_subresources.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-2321\" src=\"https:\/\/blog.mozilla.org\/security\/files\/2018\/05\/blocking_ftp_subresources-252x34.png\" alt=\"\" width=\"590\" height=\"80\" srcset=\"https:\/\/blog.mozilla.org\/security\/files\/2018\/05\/blocking_ftp_subresources-252x34.png 252w, https:\/\/blog.mozilla.org\/security\/files\/2018\/05\/blocking_ftp_subresources-768x104.png 768w, https:\/\/blog.mozilla.org\/security\/files\/2018\/05\/blocking_ftp_subresources-600x81.png 600w, https:\/\/blog.mozilla.org\/security\/files\/2018\/05\/blocking_ftp_subresources.png 930w\" sizes=\"(max-width: 590px) 100vw, 590px\" \/><\/a><\/p>\n<p>For the Mozilla Security Team:<br \/>\nTom Schuster and Christoph Kerschbaumer<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Firefox 61 will block subresource loads that rely on the insecure FTP protocol unless the document itself is an FTP document. For example, Firefox will block FTP subresource loads within &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2018\/05\/07\/blocking-ftp-subresource-loads-within-non-ftp-documents-in-firefox-61\/\">Read more<\/a><\/p>\n","protected":false},"author":960,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69],"tags":[],"coauthors":[280776],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Blocking FTP subresource loads within non-FTP documents in Firefox 61 - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2018\/05\/07\/blocking-ftp-subresource-loads-within-non-ftp-documents-in-firefox-61\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Christoph Kerschbaumer\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/05\/07\/blocking-ftp-subresource-loads-within-non-ftp-documents-in-firefox-61\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2018\/05\/07\/blocking-ftp-subresource-loads-within-non-ftp-documents-in-firefox-61\/\",\"name\":\"Blocking FTP subresource loads within non-FTP documents in Firefox 61 - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/05\/07\/blocking-ftp-subresource-loads-within-non-ftp-documents-in-firefox-61\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/05\/07\/blocking-ftp-subresource-loads-within-non-ftp-documents-in-firefox-61\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2018\/05\/blocking_ftp_subresources-252x34.png\",\"datePublished\":\"2018-05-08T06:13:52+00:00\",\"dateModified\":\"2018-05-08T06:13:52+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/2aa58e904cdee9bfd7aef6290ccfba5b\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/05\/07\/blocking-ftp-subresource-loads-within-non-ftp-documents-in-firefox-61\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2018\/05\/07\/blocking-ftp-subresource-loads-within-non-ftp-documents-in-firefox-61\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/05\/07\/blocking-ftp-subresource-loads-within-non-ftp-documents-in-firefox-61\/#primaryimage\",\"url\":\"https:\/\/blog.mozilla.org\/security\/files\/2018\/05\/blocking_ftp_subresources.png\",\"contentUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2018\/05\/blocking_ftp_subresources.png\",\"width\":930,\"height\":126},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/05\/07\/blocking-ftp-subresource-loads-within-non-ftp-documents-in-firefox-61\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Blocking FTP subresource loads within non-FTP documents in Firefox 61\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/2aa58e904cdee9bfd7aef6290ccfba5b\",\"name\":\"Christoph Kerschbaumer\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/c2f32f82e57d2d276655d533c069c73d\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/34c427186fcdd42f4c9c57a8bd0bcd7b?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/34c427186fcdd42f4c9c57a8bd0bcd7b?s=96&d=identicon&r=g\",\"caption\":\"Christoph Kerschbaumer\"},\"description\":\"Manager, Security Engineering\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Blocking FTP subresource loads within non-FTP documents in Firefox 61 - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2018\/05\/07\/blocking-ftp-subresource-loads-within-non-ftp-documents-in-firefox-61\/","twitter_misc":{"Written by":"Christoph Kerschbaumer","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2018\/05\/07\/blocking-ftp-subresource-loads-within-non-ftp-documents-in-firefox-61\/","url":"https:\/\/blog.mozilla.org\/security\/2018\/05\/07\/blocking-ftp-subresource-loads-within-non-ftp-documents-in-firefox-61\/","name":"Blocking FTP subresource loads within non-FTP documents in Firefox 61 - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.mozilla.org\/security\/2018\/05\/07\/blocking-ftp-subresource-loads-within-non-ftp-documents-in-firefox-61\/#primaryimage"},"image":{"@id":"https:\/\/blog.mozilla.org\/security\/2018\/05\/07\/blocking-ftp-subresource-loads-within-non-ftp-documents-in-firefox-61\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.mozilla.org\/security\/files\/2018\/05\/blocking_ftp_subresources-252x34.png","datePublished":"2018-05-08T06:13:52+00:00","dateModified":"2018-05-08T06:13:52+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/2aa58e904cdee9bfd7aef6290ccfba5b"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2018\/05\/07\/blocking-ftp-subresource-loads-within-non-ftp-documents-in-firefox-61\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2018\/05\/07\/blocking-ftp-subresource-loads-within-non-ftp-documents-in-firefox-61\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/2018\/05\/07\/blocking-ftp-subresource-loads-within-non-ftp-documents-in-firefox-61\/#primaryimage","url":"https:\/\/blog.mozilla.org\/security\/files\/2018\/05\/blocking_ftp_subresources.png","contentUrl":"https:\/\/blog.mozilla.org\/security\/files\/2018\/05\/blocking_ftp_subresources.png","width":930,"height":126},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2018\/05\/07\/blocking-ftp-subresource-loads-within-non-ftp-documents-in-firefox-61\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Blocking FTP subresource loads within non-FTP documents in Firefox 61"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/2aa58e904cdee9bfd7aef6290ccfba5b","name":"Christoph Kerschbaumer","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/c2f32f82e57d2d276655d533c069c73d","url":"https:\/\/secure.gravatar.com\/avatar\/34c427186fcdd42f4c9c57a8bd0bcd7b?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/34c427186fcdd42f4c9c57a8bd0bcd7b?s=96&d=identicon&r=g","caption":"Christoph Kerschbaumer"},"description":"Manager, Security Engineering"}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2320"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/960"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2320"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2320\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2320"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2320"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2320"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2320"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}