Firefox will block insecure downloads soon by default

Martin Brinkmann
Aug 13, 2021
Firefox
|
41

Mozilla's Firefox web browser will block the download of insecure files soon in mixed content environments.

Mixed content refers to sites using secure connections and insecure connections. Imagine the following scenario: you visit a secure site that is using HTTPS and start a download by clicking on a link. The linked resource is not on a HTTPS resource, but on a HTTP resource; this is what mixed content in the context of downloads refer to.

Files that are transferred via insecure connections may be tampered with, for instance by other actors on a network.

Firefox will block insecure downloads that originated from HTTPS sites soon, likely in Firefox 92, which will be released on September 7, 2021.

Firefox won't download the file in this case automatically; the browser displays a warning in the download panel -- File not downloaded. Potential security risk -- with a red exclamation mark icon.

firefox insecure download

A click or tap on the download in the panel opens additional information and options.

Firefox users may allow the download using the prompt that opens or remove the file.

firefox download details

The blocking happens only because of the insecure connection, not because the file has a virus or other unwanted content. It may still be a good idea to run the file through a virus scanner or service such as Virustotal to make sure it is clean and likely without danger.

Firefox 92 comes with a preference switch that controls the behavior. It can be turned off to restore the previous downloading behavior:

dom.block_download_insecure

  1. Load about:config in the Firefox address bar.
  2. Confirm that you accept the risk.
  3. Search for dom.block_download_insecure.
  4. Use the toggle icon to set the value to
    1. TRUE: to keep the security feature enabled.
    2. FALSE: to disable the security feature.

Mozilla notes that about 98.5% of all downloads in Firefox Nightly use HTTPS. In other words: 15 in 1000 downloads will be blocked once the change lands in Firefox Stable, provided that the percentage value is about the same.

Google introduced the blocking of downloads in an insecure context earlier this year in Chrome 86. Most Chromium-based browsers block downloads from HTTP sources if the originating page uses HTTPS. Chrome displays a notification in the download panel if a file cannot be downloaded because it originates from a HTTP server. Chrome users may discard or keep the download, similarly to how Firefox handles these downloads.

Closing Words

HTTP downloads that originate on HTTPS pages will be blocked by default; users do have the option to override the blocking and to disable the security feature entirely.

Now You: what is your take on the feature? Good addition? (via Techdows)

Summary
Firefox will block insecure downloads soon by default
Article Name
Firefox will block insecure downloads soon by default
Description
Mozilla's Firefox web browser will block the download of insecure files soon in mixed content environments. 
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Kevin Preston said on November 15, 2021 at 6:12 pm
    Reply

    Had to go into about:config to disable this.

    Once again…I am a BIG BOY…
    STOP DOING THINGS FOR MY OWN GOOD.

    I have Microsoft Defender breathing down my neck, I have all the rest of their defense garbage breathing down my neck.
    Then I have my web browser breathing down my neck as well as everything else.

    LEAVE ME ALONE already!!!!

    I get into my Toyota and it has to tell me to drive safely after beeping because I haven’t put my seat belt on yet.

    My phone tells me that my volume is too loud.
    My Microwave oven has to consistently tell me that my food is ready.
    Everything has to either beep, flash or send me text message.

    If I worked on the Starship Enterprise Bridge I would take a phaser to every last one of them on that ship because of the constant beeping and flashing lights.

    Enough already because you are doing nothing but polluting everyone’s life with unnecessary nonsense.

  2. Carlos said on November 11, 2021 at 9:36 pm
    Reply

    This crap is supposed to be disabled because I disabled it myself in the preferences and now it turns out that these idiots add one more option that can’t even be disabled easily and they end up messing up my unique download link.

  3. What is this, AOL? said on August 15, 2021 at 8:56 am
    Reply

    >Personally, I still visit gHacks once in a while, but I’ve noticed that I visit it less and less as time progresses, and the useless and mindless ranting of trolls continues.

    Sorry no one will worship you. No one cares whether you visit this site or not, do you care what color of socks I wear? My favorite band? What is this, AOL? LOL!

    1. Yet Another Jason said on August 16, 2021 at 10:43 pm
      Reply

      I agree. This Geoff fellow accuses others of trolling but comes off as a troll himself. I dislike the aggressive tone Iron Heart constantly takes, but he (or she?) is not a troll, just a person with an opinion. The posts from Geoff here have just gone over the top with bizarre accusations, and we’re now meant to feel sorry that he dislikes gHacks…

      Too much drama altogether. I’m going to take a break from my computer.

  4. Geoff Williams said on August 15, 2021 at 4:26 am
    Reply

    This Iron Heart troll is filled with hate and anger. Sad.

    And gHacks is more than willing to publish this troll’s rage, unsubstantiated claims, and attacks. So I’m sure they will have no problem publishing my simple reply.

    1. “You are not supposed to use that word like some racist bigot…”

    You are implying I am a racist. I am not, and your implication is offensive. You sound like one of those racist bigots who is trying to deflect their shame.

    2 .”Really says it all, it’s not about what is best for the regular user, rather, as with everything else in life, it is about power and control.”

    I mentioned nothing about power and control. I don’t care about power and control. I actually gave up my powerful management job to work for a non-profit charity that feeds the homeless. You clearly have a hateful agenda and are putting words into other people’s mouths. Firefox is excellent for the average user as well as power users.

    3. “It speaks volumes about the Firefox community when people see them hating on fellow privacy projects.”

    I am a single user. I do not represent the Firefox community (nor Mozilla). But it is a well-documented behavior of racists to view the acts of a single individual as representative an entire community. Only one of us is filled with hate and is acting in a hateful way, and it’s clearly not me. You attacked me with your hostile words (which gHacks was willing to publish), and I never even thought of mentioning or referencing you (or anyone else) in any way in my post.

    4. “Thank you for revealing the true face of the FF community here.”

    Again, I am a single user. I do not represent the Firefox community. But, regarding your comments, it is common for a racist to view the world as unified groups of people who hate each other. Personally, I don’t hate anyone. You would likely benefit from some quality therapy that could help you get out of your hate-filled world. Life is much simpler and honest when you stop hating others and stop blaming others for your hate.

    If you look at Iron Heart’s well-documented history, he’s clearly just another one of those angry far-right hateful people. Firefox is an excellent project developed by an organization trying to foster equality. This clearly angers him so much that he has literally spent hours of his time writing hundreds of rants on gHacks and elsewhere. The tone, content, hostility, and hate is always the same, so it’s easy to spot his writing anywhere. It’s like a broken record. Nothing new to say, and no signs of growth.

    I do understand, however, why he spends so much time posting his rants here on gHacks. He has explained that he has been banned for inappropriate conduct on other sites (although people like that rarely have much insight into why their conduct is inappropriate). That speaks volumes on its own.

    gHacks obviously hopes to profit from allowing his rants (just like CNN and Fox News try to profit from wild broken-record rants), although I have read multiple threads on other sites where people have disclosed that they no longer visit gHacks because they are tired of all the obvious trolling interfering with valuable and helpful discourse. Personally, I still visit gHacks once in a while, but I’ve noticed that I visit it less and less as time progresses, and the useless and mindless ranting of trolls continues.

    1. ChromeFan said on August 15, 2021 at 7:28 pm
      Reply

      Absolutely disgusting post. Wow! It is clear you are a homophobe, and also a racist, and frankly it is disgusting. Why does Martin let this abhorrent filth on this site?

    2. Iron Heart said on August 15, 2021 at 8:14 am
      Reply

      @Geoff Williams

      > This Iron Heart troll is filled with hate and anger. Sad.

      Your original post reads like a troll reply, because it is one. Any further allegation of me being a troll coming from you (of all people) will thus be discarded.

      > You are implying I am a racist.

      If the slave word is the first rhyme you have for Brave, what else I am supposed to think?

      > You sound like one of those racist bigots who is trying to deflect their shame.

      Your kitchen psychology is failing you here. There is no indication of racism in any of my posts.

      > I mentioned nothing about power and control. I don’t care about power and control.

      You are hating on fellow privacy project. Is that in the best interest of users? Nope. What you do only makes sense if you are a fanboy with an agenda, sprung from a toxic community fighting for its relevance. Or you are completely irrational and don’t know anymore what you say. Choose one.

      > You clearly have a hateful agenda and are putting words into other people’s mouths.

      I don’t think so. And considering your original troll post, I have no reason to put words in your mouth.

      > I am a single user.

      Then why are you drones so exchangeable? Your hate always goes in the same direction, your non-arguments are also the same. If you want to be seen as not being a drone, try something more original.

      > But it is a well-documented behavior of racists to view the acts of a single individual as representative an entire community.

      Hey slave-rhymer, what makes you think I am a racist? Any kind of actual proof?

      > You attacked me with your hostile words (which gHacks was willing to publish), and I never even thought of mentioning or referencing you (or anyone else) in any way in my post.

      Your original post was filled with trolling and was bait. People are not blind, your post is still there, one can read it.

      > You would likely benefit from some quality therapy that could help you get out of your hate-filled world.

      And you would likely benefit from having some actual argument that is more than trolling or whining. My “therapy”, as in, the wellness I would need, would be you stupid drones leaving or coming up with something more original.

      > If you look at Iron Heart’s well-documented history, he’s clearly just another one of those angry far-right hateful people.

      Source: Your ass.

      If people took a look at my history, they would find that I am one of the more apolitical commenters here.

      > Firefox is an excellent project developed by an organization trying to foster equality.

      I don’t know what Mozilla fosters other than their CEO’s paycheck (while at the same time firing 250 people amidst a pandemic), so much for “equality”. Also, only 3% want to use their product despite the fact that it can be downloaded for free. Do I need to explain why, or do you already know why?

      > Nothing new to say, and no signs of growth.

      What do you expect when you have me deal with the same old, retarded shit once again? I will post a more original reply once you drones come up with a more original argument.

      > I do understand, however, why he spends so much time posting his rants here on gHacks. He has explained that he has been banned for inappropriate conduct on other sites (although people like that rarely have much insight into why their conduct is inappropriate). That speaks volumes on its own.

      Complete lie. I have never said that I have been banned anywhere, simply because I am not anywhere else. I can’t be banned from where I was not present in the first place. Also, fabricate your lies a bit better next time:

      1) I am spending so much time here dealing with trolls like you that I would hardly have the time to do the very same thing anywhere else. Tech news isn’t my whole life, and the day only has 24 hours.
      2) If I had been banned anywhere, it wouldn’t make much sense for me to openly admit it, would it? Duh…

      > gHacks obviously hopes to profit from allowing his rants (just like CNN and Fox News try to profit from wild broken-record rants), although I have read multiple threads on other sites where people have disclosed that they no longer visit gHacks because they are tired of all the obvious trolling interfering with valuable and helpful discourse.

      Source for people leaving gHacks? Or are you just being, let’s say, “creative with the truth” again? I don’t know what Martin’s motivation is for allowing comments other than them not violating the gHacks comment guidelines… Anyway, your hopes for censorship won’t be fulfilled here. Don’t even bother. This goes both ways, by the way. gHacks also allowed YOUR trolling and YOUR lies to be published after all. Am I supposed to whine about that, just like you?

      > Personally, I still visit gHacks once in a while, but I’ve noticed that I visit it less and less as time progresses, and the useless and mindless ranting of trolls continues.

      So you’ve concluded that, when you visit once in a while, that the best course of action would be to become a low effort troll? OK.

      I am done here. Enough time wasted on the lying troll.

      1. bob from oklahoma said on August 18, 2021 at 3:29 pm
        Reply

        jesus christ learn to be more succinct

  5. Geoff Williams said on August 14, 2021 at 1:55 pm
    Reply

    This is a much better implementation than Chrome or any of the Chrome wanna-be browsers like the one that rhymes with “slave”.

    Mozilla is letting users know about a potential issue and treating them like adults by giving them the choice to still download the file if they want. And if Firefox users don’t want to even be warned, there is a setting to control that too. Perfect.

    Now we just need to convince the thousands of software developers (including, ahem, Microsoft) that distribute software via HTTP to finally switch to HTTPS. It’s shocking that in this day and age that about 3-5% of software developers still distribute their software on pages that only allow HTTP connections. HTTPS certificates are literally free now, so there is no excuse except laziness to not use HTTPS.

    1. Iron Heart said on August 14, 2021 at 7:34 pm
      Reply

      @Geoff Williams

      > This is a much better implementation than Chrome or any of the Chrome wanna-be browsers like the one that rhymes with “slave”.

      You are not supposed to use that word like some racist bigot, Mozilla has spent good money to remove it entirely from Build Bot: https://forums.escapistmagazine.com/threads/mozilla-gives-15k-to-remove-slave-from-build-bot-documentation.138153/

      Apart from that, it speaks volumes about the Firefox community when people see them hating on fellow privacy projects. You guys hate Brave much more than you do Chrome and Edge, browsers that actually violate user privacy. Really says it all, it’s not about what is best for the regular user, rather, as with everything else in life, it is about power and control. Thank you for revealing the true face of the FF community here.

      > Mozilla is letting users know about a potential issue and treating them like adults by giving them the choice to still download the file if they want.

      So does any other browser implementing that feature, this is not unique to Firefox.

      > And if Firefox users don’t want to even be warned, there is a setting to control that too. Perfect.

      In what kind of reality is that “perfect”, my dude? If a download of yours triggers a warning in the first place, there usually is something more to the story. One can make conscious exceptions already, no point in lowering security standards even further by disabling the warning(!).

  6. Shiva said on August 14, 2021 at 12:07 pm
    Reply

    Still miss FlashGot, now I have to use VideoDownloaHhelper and DownloadWithJDownloader (plus native application) to compensate for it.

    Oh! While I was wasting my time with userchrome after 91 release I didn’t see this ‘improvement’ on search bar: https://postimg.cc/yWf061mZ

  7. Robert said on August 14, 2021 at 8:11 am
    Reply

    Good thing I use IDM for my downloads. If I want to download an app or a zip file that Firefox doesn’t approve of then I will use another browser. They are not my parents? No wonder Firefox is loosing clients left and right.

  8. Dale Gribble said on August 14, 2021 at 5:17 am
    Reply

    That’s why I always enjoy using wget, not a browser nor their extensions for downloads.

  9. Ipnonymous said on August 13, 2021 at 8:31 pm
    Reply

    So about 1 out of every 67 downloads.

  10. ChromeFan said on August 13, 2021 at 7:39 pm
    Reply

    You can not call yourself a private browser if your default search engine is Google.

  11. TelV said on August 13, 2021 at 7:04 pm
    Reply

    Will Microsoft take note of that I wonder? After all, all downloads from the Microsoft Catalog Site take place over an insecure link.

  12. Tom Hawack said on August 13, 2021 at 6:31 pm
    Reply

    Good. Current Firefox 91 already has ‘dom.block_download_insecure’ in about:config, but set to false given it’s planned.

    Here with HTTPSEverywhere set to ‘Encrypt All Sites Eligible’ it won’t change much. I don’t use Firefox’s HTTPS-Only mode given I’ve encountered at least one site where setting an exception just wouldn’t work : [http://www.les-verbes.com/]. HTTPSEverywhere is far more elaborated IMO.

    As always or almost this new ‘Block insecure downloads’ feature has it’s option in about:config, cherry on the cake.

    1. Yash said on August 14, 2021 at 9:57 pm
      Reply

      Switch three unchanged prefs of security.mixedcontent, two of which mentioned in user.js for blocking http content and one additional for upgrading passive resources. So that will be another layer of dealing with http sites along with Https Everywhere. Prefs will work on all sites to do its best, while add-on will work on sites present in its database. The next best solution after Https only mode.

      1. Tom Hawack said on August 15, 2021 at 11:05 am
        Reply

        @Yash,

        > “[…]while add-on will work on sites present in its database” : HTTPSEverywhere set to ‘Encrypt All Sites Eligible’ (EASE) blocks systematically all non-HTTPS connections, as Firefox’s ‘HTTPS-Only’ mode. This approach, given it allows exceptions, is far more convenient than a ‘security.mixed_content.block_display_content’ set to true because there may be HTTPS sites where connections to non-HTTPS servers are considerd by the users as being worth it.

        Nevertheless in any case ‘security.mixed_content.block_active_content’ remains set to true (default).

        In my case, I use several HTTPS Web radio portals which call different non-secure Web radios : setting ‘security.mixed_content.block_display_content’ to true would block access to these 3rd-party servers. HTTPSEverywhere, in EASE mode, can be instructed to apply exceptions, bringing the best to one equation.

      2. Yash said on August 15, 2021 at 1:57 pm
        Reply

        “because there may be HTTPS sites where connections to non-HTTPS servers are considerd by the users as being worth it.” For this, the first two prefs of blocking are out, but maybe third pref of ‘upgrading display content’ can be a potential solution as it will not block http but rather *try* to upgrade passive resources to https if it can on https sites(http sites load just fine with all three prefs switched) atleast that’s what its name suggest.

        I don’t use https-only mode and also no https everywhere. I use these three prefs and my thinking was – there will no http content on https sites, plus http ones will load just fine without having to set exceptions and encounter all sorts of warning, like the site you mentioned above load just fine. But this point – “I use several HTTPS Web radio portals which call different non-secure Web radios” – has got me thinking there are other scenarios as well and time has come to review few things. Maybe you can check if third pref helps with this, IOW doesn’t block http but just try to upgrade it, and share the result here.

      3. Tom Hawack said on August 15, 2021 at 5:37 pm
        Reply

        @Yash, all this is quite complex.

        > “[…]maybe third pref of ‘upgrading display content’ can be a potential solution[…]”

        This is the “security.mixed_content.upgrade_display_content” pref, but to work the user must have set “security.mixed_content.block_display_content” to true as well otherwise if the attempt to connect to 3rd-party sites via HTTPS fails, the connection won’t return to HTTP …

        I’ve used these combinations in the past, found them in archives :

        // attempt to load mixed content that is optionally blockable from HTTPS domains instead of the referenced HTTP domains
        // REQUIRES SAME VALUE AS “security.mixed_content.block_display_content”
        // pref(“security.mixed_content.upgrade_display_content”, true); // Default=false

        This is why an HTTPS-only mode (that of Firefox or that of HTTPSEverywhere) with exceptions appeared to me as the simplest approach:

        // Enforce enabling insecure active content on https pages – mixed content
        pref(“security.mixed_content.block_active_content”, true); // DEFAULT=true

        // Enforce disabling insecure passive content (such as images) on https pages – mixed context
        pref(“security.mixed_content.block_display_content”, false); // DEFAULT=false

        The only switch from there on is an HTTP exception at the discretion of the user. HTTPSEverywhere can set the exception for once or register it. No fuss, no problem, best security/freedom ratio IMO.

      4. Yash said on August 16, 2021 at 12:03 am
        Reply

        You mixed enabled and disabled there on last two prefs which proves you’re….human. Don’t get me wrong, https-only mode with exceptions or https everywhere with EASE mode are the best, but those are for https sites. The security.mixed prefs kick in exceptions mode as https everywhere or https-only mode are the first checkpoint. Those three prefs are always inferior to these two as they don’t deal with scripts, just passive resources.

        security.mixed_content.upgrade_display_content works independently of security.mixed_content.block_display_content pref. In browserleaks.com/ssl – if I switch block pref, result will be ‘blocked’ in all six categories, in upgrade pref it will be ‘upgraded to https’ in first three and blocked in last three, same if both block and upgrade are enabled. In https-only mode or in EASE mode, ‘upgraded to https’ in all six categories.

        But that’s all sort of theoritical. I just want to know one thing, if you only switch upgrade pref to true, with EASE mode or https-only mode but that will not matter when setting an exception, will some https sites as you said need http content load properly?

      5. Tom Hawack said on August 16, 2021 at 8:58 am
        Reply

        I would have “mixed enabled and disabled there on last two prefs”? Where?

        // Enforce enabling insecure active content on https pages – mixed content
        pref(“security.mixed_content.block_active_content”, true); // DEFAULT=true

        // Enforce disabling insecure passive content (such as images) on https pages – mixed context
        pref(“security.mixed_content.block_display_content”, false); // DEFAULT=false

        Nothing mixed here. Please explain.

        > “security.mixed_content.upgrade_display_content works independently of security.mixed_content.block_display_content pref”

        Yes and no. If the former is enabled, an http connection to a 3rd-party server will attempt to connect via https, but if it fails AND the latter is disabled, there will be no return to http.

        > ” I just want to know one thing, if you only switch upgrade pref to true, with EASE mode or https-only mode but that will not matter when setting an exception, will some https sites as you said need http content load properly?”

        Could you please explain, I’m afraid I don’t understand your question.

      6. Tom Hawack said on August 16, 2021 at 10:19 am
        Reply

        Mea culpa (3 times. Erratum! Now, back to English : atchoum, I made a big mistake.

        @Yash, when you write “security.mixed_content.upgrade_display_content works independently of security.mixed_content.block_display_content pref” you are right. %y fault.

        To summarize the three mixed-content prefs :

        // disable (true) or enable (false) insecure active content on https pages – mixed content
        pref(“security.mixed_content.block_active_content”, true); // DEFAULT=true

        // disable (true) or enable (false) insecure passive content (such as images) on https pages – mixed context
        pref(“security.mixed_content.block_display_content”, false); // DEFAULT=false

        // disable (false) or enable (true) insecure passive content UPGRADE (such as images) on https pages – mixed context
        // When enabled, this preference causes Firefox to automatically upgrade requests for media content from HTTP to HTTPS on secure pages.
        // The intent is to prevent mixed-content conditions in which some content is loaded securely while other content is insecure.
        // If the upgrade fails (because the media’s host doesn’t support HTTPS), the media is not loaded.
        pref(“security.mixed_content.upgrade_display_content”, false); // DEFAULT=false

        This is where I made the mistake : If the upgrade fails (because the media’s host doesn’t support HTTPS), the media is not loaded… EVEN IF “security.mixed_content.block_display_content” is false (default).

        A long time mistake which missed being corrected (reason, not excuse!) given I use HTTPSEverywhere in EASE mode and therefor have left all three above-mentioned prefs to their default values.

      7. Yash said on August 16, 2021 at 5:16 pm
        Reply

        Mixing part has been cleared in your last comment, I misunderstood it for something else previously, my mistake.

        Yeah I also used EASE mode in https everywhere and switched to https-only mode when it first came out. But in your original comment you mentioned a site which doesn’t work in https-only and so I disabled it for now. Then I went on to see some other prefs who can cover atleast some functionality, which were these three prefs, the site you mentioned load perfectly, so I thought okay new settings for now. But this line – “I use several HTTPS Web radio portals which call different non-secure Web radios : setting ‘security.mixed_content.block_display_content’ to true would block access to these 3rd-party servers.” That has got me thinking again, coz first that is a valid point, block pref would stop that thing, so here’s my question? Instead of block pref being turned on, how about switch upgrade pref, leave block to default, and see if problem remains the same.

        If the problem is still there, I definitely will switch to https everywhere and EASE mode, and leave these prefs as they are, as add-on can be configured for individual sites but prefs can’t.

      8. Tom Hawack said on August 17, 2021 at 9:46 am
        Reply

        @Yash, to answer your question:

        pref(“security.mixed_content.block_active_content”, true); // DEFAULT=true
        pref(“security.mixed_content.block_display_content”, false); // DEFAULT=false
        pref(“security.mixed_content.upgrade_display_content”, true); // DEFAULT=false

        Now open : [https://vtuner.com/setupapp/guide/asp/BrowseStations/startpage.asp]
        Select a radio. Vtuner will (try to) connect to the radio’s server and most likely radio won’t start (unless the sever accepts HTTPS, seldom with radio servers). Try/test different scenarios ..

      9. Emil Brausewetter said on August 17, 2021 at 3:42 pm
        Reply

        >>>”Vtuner will (try to) connect to the radio’s server and most likely radio won’t start (unless the sever accepts HTTPS, seldom with radio servers).”

        Depending on the capabilities of the streaming server and the associated client – in your case jPlayer, streaming audio is in principle be transmitted via the common HTTP protocol.

        Known as HTTP Streaming, a push-style data transfer technique that allows a web server to continuously send data to a client over a single HTTP connection that remains open indefinitely. Technically, this goes against HTTP convention, but HTTP Streaming is an efficient method to transfer all kinds of dynamic or otherwise streamable data between the server and client.

        >>>”and most likely radio won’t start”

        … because there is no stream at the moment,

        … the webmaster has inserted the streaming URL sloppily and incorrectly

        … YOU have this problem caused by a completely unnecessary messing around with browser settings that you obviously don’t understand.

        >>>”Try/test different scenarios ..”

        Test a typical HTTP Streaming in your browser’s native player:

        http://listen.011fm.com:8020/stream11

        Note the Port 8020, if that’s blocked by your firewall … no stream.

        Via port 443 (HTTPS) proxy

        https://usa6.fastcast4u.com/proxy/wsjfhd?mp=/1

        The Proxy 443 link enables listeners to tune-in even if they use firewalls that may block listening to Online Radio streams.

        Thanks for listening ;~)

      10. Tom Hawack said on August 17, 2021 at 8:35 pm
        Reply

        @Emil Brausewetter, I listened and I heard (an ad proclaimed ‘You’ll see what you hear’ and here it’s the opposite : I heard what I saw/read!)

        Your comment is very technical. All I meant to say is not that I don’t receive radio streams from vTuner (or elsewhere) because I do!. Only that vtuner itself is HTTPS but it calls radio streams via HTTP and if I either,

        Block Display Mixed Content is true :
        pref(“security.mixed_content.block_display_content”, true); // DEFAULT=false

        or Allow Display Mixed Content Upgrade is true
        pref(“security.mixed_content.upgrade_display_content”, true); // DEFAULT=false

        then the connection to the HTTP-only radio streams will fail.

        In fact it’s all in dealing with three Mixed-Content prefs, the third ((“security.mixed_content.upgrade_display_content”) finally unworthy, perhaps the reason wwhy Firefox left it as ‘false’

      11. Emil Brausewetter said on August 18, 2021 at 11:52 am
        Reply

        What you (and this artikel) seem to fail to notice is the distinction between mixed passive/display content and mixed active content.
        For further information I recommend the following article:
        https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content#types_of_mixed_content

        By default, Firefox does not block “mixed passive/display content”, the threat is lower. No point in flipping the pref security.mixed_content.block_display_content unless you are truly paranoid.

        In your scenario
        Tom Hawack said on August 17, 2021 at 9:46 am
        only this two settings are relevant for “mixed passive/display content”, in case of “vtuner.com” the audiostream.
        pref(“security.mixed_content.block_display_content”, false); // DEFAULT=false
        pref(“security.mixed_content.upgrade_display_content”, true); // DEFAULT=false

        Your observation “most likely radio won’t start (unless the sever accepts HTTPS …)” is in complete contradiction to the settings you specified:
        1. setting = Allow passive/display HTTP content – the radio should start streaming
        2. setting = upgrade_display_content=true – makes no sense at all because HTTP is allowed and if the stream is delivered via HTTPS, this settings are ignored anyway.

        Because of this muddled nonsense, I could not resist and dared to point out possible other causes as well:
        … streaming server offline
        … the webmaster has inserted the streaming URL sloppily and incorrectly
        … ports blocked
        … services at OS level disabled and so on.

        Take it sporty …

      12. Tom hawack said on August 18, 2021 at 3:32 pm
        Reply

        @Emil Brausewetter, taking it “sporty” would mean a quest of reputation?! No ego as far as i’m concerned, if I can help I try, if I mistake then always happy to learn. No leadership battle! I’m betting on your natural humbleness :)

        This said, seems to me that the distinction between mixed-display and mixed-active is clearly established; this is not what we’ve been debating about in this thread.

        The whole point here above was to consider how an HTTPS site calling HTTP 3rd-party servers would perform when considering blocking mixed-display and, further on, considering mixed_content.upgrade_display_content.

        It has NOT been mentioned that Firefox by default blocks “mixed passive/display content” : on the contrary I have repeated more than once the default prefs’ values. Be repeated again in case you would have missed it :

        pref(“security.mixed_content.block_active_content”, true); // DEFAULT=true
        pref(“security.mixed_content.block_display_content”, false); // DEFAULT=false

        From there on Yash mentioned the 3rd option :
        pref(“security.mixed_content.upgrade_display_content”, [true/false?]); // DEFAULT=false

        We then debated on this latter pref and concluded that, if set to true AND an HTTPS site called an HTTP 3rd-party that refused HTTPS, then the connection would fail EVEN IF security.mixed_content.block_display_content was left at ‘true’ (DEFAULT).

        So, obviously, it’s not that we disagree but that you haven’t understood or that I’ve insufficiently explained. Maybe a drawing would have helped.

      13. Emil Brausewetter said on August 19, 2021 at 1:32 am
        Reply

        >>>”taking it “sporty” would mean a quest of reputation?!”
        Nonsens! It means: Fair Play.

        Anyway, I’ve had some time lately to check out your scenario:
        pref(“security.mixed_content.block_display_content”, false); // DEFAULT=false
        pref(“security.mixed_content.upgrade_display_content”, true); // DEFAULT=false

        You are right, so I apologize for the NONSENS I said in this paragraph
        Quote:
        “Your observation “most likely radio won’t start (unless the sever accepts HTTPS …)” is in complete contradiction to the settings you specified:
        1. setting = Allow passive/display HTTP content – the radio should start streaming
        2. setting = upgrade_display_content=true – makes no sense at all because HTTP is allowed and if the stream is delivered via HTTPS, this settings are ignored anyway.”

        mea culpa, mea culpa, mea maxima culpa […]

      14. Yash said on August 19, 2021 at 9:41 am
        Reply

        It feels so better when some random folks debate on something without rants or false arguments, Chef’s kiss.

      15. Yash said on August 17, 2021 at 1:11 pm
        Reply

        Thanks for the link, definitely one to be bookmarked.

        It didn’t load with upgrade pref. Tried different scenarios and none worked. Looking back at it I was naive, as in the browserleaks test http content gets blocked, hence url remains https irrespective of results. I should’ve seen this earlier. Now back to EASE mode with a bit of nostalgia.

      16. Tom Hawack said on August 17, 2021 at 8:37 pm
        Reply

        @Yash, life is adventure, computing an odyssey :=)

  13. pwned said on August 13, 2021 at 4:32 pm
    Reply

    Microsoft update catalog uses HTTP to serve the files and so do many other common place services

  14. Shania said on August 13, 2021 at 4:25 pm
    Reply

    Only if they had this much energy to work towards fixing ten year or older bugs in bugzilla.

    A lot of downloads are one time generated per session, so in that case HTTP downloads can’t be generated back from webpage after it fails initially.

    Alienating users is an art and FF mastered is well.

    1. Yash said on August 14, 2021 at 8:28 am
      Reply

      You clearly didn’t read article properly, plus in screenshots there is allow option, so one time download thing is nonsense.

      1. Jakola said on August 15, 2021 at 8:25 pm
        Reply

        I literally found this article via Google because Firefox blocked my download, and when allowing the download it would fail because Firefox tries to restart it or something, but the link was one-time only. Next time download the beta and try it before spreading bs. Such a ridiculous “feature”…

      2. Yash said on August 15, 2021 at 11:28 pm
        Reply

        Thanks, but point was everything that was said in original comment is already covered in article. Plus it has not landed in stable release yet, so some *issues* will get resolved, like in every other software. Restart or something like that, maybe that’s down to release channel you selected, in beta though some things can break, hence its called beta.

  15. Dumbledalf said on August 13, 2021 at 4:14 pm
    Reply

    At least they are handling this better than Chrome where if you download something insecure, nothing really happens so you can’t even know if the download has been blocker or for what reason, you don’t know what’s happened unless you’ve read the patch notes that this function is now available and running inside the browser.

    1. ilev said on August 15, 2021 at 6:25 am
      Reply

      if you download something insecure in Chrome you get notification the download is blocked
      or you get notification to run the file in virustotal and download.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.