{"id":2812,"date":"2021-10-05T01:07:19","date_gmt":"2021-10-05T08:07:19","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2812"},"modified":"2026-04-28T08:02:53","modified_gmt":"2026-04-28T15:02:53","slug":"firefox-93-protects-against-insecure-downloads","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2021\/10\/05\/firefox-93-protects-against-insecure-downloads\/","title":{"rendered":"Firefox 93 protects against Insecure Downloads"},"content":{"rendered":"<p>&nbsp;<\/p>\n<p>Downloading files on your device still exposes a major security risk and can ultimately lead to an entire system compromise by an attacker. Especially because the security risks are not apparent. To better protect you from the dangers of insecure, or even undesired downloads, we integrated the following two security enhancements which will increase security when you download files on your computer. In detail, Firefox will:<\/p>\n<ul>\n<li aria-level=\"1\">block insecure HTTP downloads on a secure HTTPS page, and<\/li>\n<li aria-level=\"1\">block downloads in sandboxed iframes, unless the iframe is explicitly annotated with the <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTML\/Element\/iframe#attr-sandbox\">allow-downloads attribute<\/a>.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2>Blocking Downloads relying on insecure connections<\/h2>\n<p>Downloading files via an insecure HTTP connection, generally exposes a major security risk because data transferred by the regular HTTP protocol is unprotected and transferred in clear text, such that attackers are able to view, steal, or even tamper with the transmitted data. Put differently, downloading a file over an insecure connection allows an attacker to replace the file with malicious content which, when opened, can ultimately lead to an entire system compromise.<\/p>\n<p>&nbsp;<\/p>\n<div id=\"attachment_2813\" style=\"width: 610px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/blog.mozilla.org\/security\/files\/2021\/09\/insecure_download.png\"><img aria-describedby=\"caption-attachment-2813\" decoding=\"async\" loading=\"lazy\" class=\"wp-image-2813 size-large\" src=\"https:\/\/blog.mozilla.org\/security\/files\/2021\/09\/insecure_download-600x378.png\" alt=\"\" width=\"600\" height=\"378\" srcset=\"https:\/\/blog.mozilla.org\/security\/files\/2021\/09\/insecure_download-600x378.png 600w, https:\/\/blog.mozilla.org\/security\/files\/2021\/09\/insecure_download-300x189.png 300w, https:\/\/blog.mozilla.org\/security\/files\/2021\/09\/insecure_download-768x484.png 768w, https:\/\/blog.mozilla.org\/security\/files\/2021\/09\/insecure_download-1000x631.png 1000w, https:\/\/blog.mozilla.org\/security\/files\/2021\/09\/insecure_download.png 1202w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/a><p id=\"caption-attachment-2813\" class=\"wp-caption-text\">Firefox 93 prompting the end user about a \u2018Potential security risk\u2019 when downloading a file using an insecure connection.<\/p><\/div>\n<p>&nbsp;<\/p>\n<p>As illustrated in the Figure above, if Firefox detects such an insecure download, it will initially block the download and prompt you signalling the Potential security risk. This prompt allows you to either stop the download and Remove the file, or alternatively grants you the option to override the decision and download the file anyway, though it\u2019s safer to abandon the download at this point.<\/p>\n<p>&nbsp;<\/p>\n<h2>Blocking Downloads in sandboxed iframes<\/h2>\n<p>The <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTML\/Element\/iframe#attr-sandbox\">Inline Frame sandbox attribute<\/a> is the preferred way to lock down capabilities of embedded third-party content. Currently, even with the sandbox attribute set, malicious content could initiate a drive-by download, prompting the user to download malicious files. Unless the sandboxed content is explicitly annotated with the \u2018allow-downloads\u2019 attribute, Firefox will\u00a0 protect you against such drive-by downloads. Put differently, downloads initiated from sandboxed contexts without this attribute will be canceled silently in the background without any user browsing disruption.<\/p>\n<p>&nbsp;<\/p>\n<h2>It\u2019s Automatic!<\/h2>\n<p>As a Firefox user, you can benefit from the additionally provided security mechanism as soon as your Firefox auto-updates to version 93. If you aren\u2019t a Firefox user yet, <a href=\"https:\/\/www.mozilla.org\/firefox\/new\/\">you can download the latest version here<\/a> to start benefiting from all the ways that Firefox works to protect you when browsing the internet.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>&nbsp; Downloading files on your device still exposes a major security risk and can ultimately lead to an entire system compromise by an attacker. Especially because the security risks are &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2021\/10\/05\/firefox-93-protects-against-insecure-downloads\/\">Read more<\/a><\/p>\n","protected":false},"author":1698,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30,69],"tags":[],"coauthors":[447605,466114,280776],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Firefox 93 protects against Insecure Downloads - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2021\/10\/05\/firefox-93-protects-against-insecure-downloads\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Sebastian Streich, Juliana Gaibler, Christoph Kerschbaumer\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/10\/05\/firefox-93-protects-against-insecure-downloads\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2021\/10\/05\/firefox-93-protects-against-insecure-downloads\/\",\"name\":\"Firefox 93 protects against Insecure Downloads - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/10\/05\/firefox-93-protects-against-insecure-downloads\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/10\/05\/firefox-93-protects-against-insecure-downloads\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2021\/09\/insecure_download-600x378.png\",\"datePublished\":\"2021-10-05T08:07:19+00:00\",\"dateModified\":\"2026-04-28T15:02:53+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/a4d1fe2439fd7dbd534b8eba8b94cf5c\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/10\/05\/firefox-93-protects-against-insecure-downloads\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2021\/10\/05\/firefox-93-protects-against-insecure-downloads\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/10\/05\/firefox-93-protects-against-insecure-downloads\/#primaryimage\",\"url\":\"https:\/\/blog.mozilla.org\/security\/files\/2021\/09\/insecure_download.png\",\"contentUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2021\/09\/insecure_download.png\",\"width\":1202,\"height\":758,\"caption\":\"Firefox 93 prompting the end user about a \u2018Potential security risk\u2019 when downloading a file using an insecure connection.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/10\/05\/firefox-93-protects-against-insecure-downloads\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Firefox 93 protects against Insecure Downloads\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/a4d1fe2439fd7dbd534b8eba8b94cf5c\",\"name\":\"Sebastian Streich\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/5ae2aa1055487a323cc1eb8cfd5a240e\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/8bbbb48726b93c4460fbef83d5227d51?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/8bbbb48726b93c4460fbef83d5227d51?s=96&d=identicon&r=g\",\"caption\":\"Sebastian Streich\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Firefox 93 protects against Insecure Downloads - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2021\/10\/05\/firefox-93-protects-against-insecure-downloads\/","twitter_misc":{"Written by":"Sebastian Streich, Juliana Gaibler, Christoph Kerschbaumer","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2021\/10\/05\/firefox-93-protects-against-insecure-downloads\/","url":"https:\/\/blog.mozilla.org\/security\/2021\/10\/05\/firefox-93-protects-against-insecure-downloads\/","name":"Firefox 93 protects against Insecure Downloads - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.mozilla.org\/security\/2021\/10\/05\/firefox-93-protects-against-insecure-downloads\/#primaryimage"},"image":{"@id":"https:\/\/blog.mozilla.org\/security\/2021\/10\/05\/firefox-93-protects-against-insecure-downloads\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.mozilla.org\/security\/files\/2021\/09\/insecure_download-600x378.png","datePublished":"2021-10-05T08:07:19+00:00","dateModified":"2026-04-28T15:02:53+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/a4d1fe2439fd7dbd534b8eba8b94cf5c"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2021\/10\/05\/firefox-93-protects-against-insecure-downloads\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2021\/10\/05\/firefox-93-protects-against-insecure-downloads\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/2021\/10\/05\/firefox-93-protects-against-insecure-downloads\/#primaryimage","url":"https:\/\/blog.mozilla.org\/security\/files\/2021\/09\/insecure_download.png","contentUrl":"https:\/\/blog.mozilla.org\/security\/files\/2021\/09\/insecure_download.png","width":1202,"height":758,"caption":"Firefox 93 prompting the end user about a \u2018Potential security risk\u2019 when downloading a file using an insecure connection."},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2021\/10\/05\/firefox-93-protects-against-insecure-downloads\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Firefox 93 protects against Insecure Downloads"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/a4d1fe2439fd7dbd534b8eba8b94cf5c","name":"Sebastian Streich","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/5ae2aa1055487a323cc1eb8cfd5a240e","url":"https:\/\/secure.gravatar.com\/avatar\/8bbbb48726b93c4460fbef83d5227d51?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/8bbbb48726b93c4460fbef83d5227d51?s=96&d=identicon&r=g","caption":"Sebastian Streich"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2812"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/1698"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2812"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2812\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2812"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2812"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2812"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2812"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}