Software and Apps

Mozilla junks FTP from v.61 onwards

Story Highlights

  • Mozilla Version 61 onwards will not support FTP sub-resources inside webpages

Mozilla developers have decided to block requests for File Transfer Protocol (FTP) subresources inside web pages. A bug report and Intent to implement notice suggest the change will land in Firefox 61. The browser’s currently at version 59, with 61 due in May 2018.

By FTP subresources, we refer to files loaded via the FTP protocol inside img, script, or iframe tags that have a src=”ftp://”.

FTP links placed inside normal < a >links or typed directly in the browser’s address bar will continue to work.

The reasoning is that FTP is an insecure protocol that doesn’t support modern encryption techniques and will inherently break many other built-in browser security and privacy features, such as HSTS, CSP, XSA, or others.

Furthermore, many malware distribution campaigns often rely on compromising FTP servers and redirecting or downloading malware on users’ computers via FTP subresources.

The change will permit access to FTP resources in hyperlinks or when an FTP server’s address is entered into Firefox’s address bar, but the browser will no longer allow FTP resources to be summoned using the HTML src attribute.

Firefox will also block loads from FTP servers in iFrames.

Firefox developers have probably made the change for the same reasons Chrome’s coders offered when Google’s browser started labelling FTP sites as insecure last year, namely that FTP sends data as plaintext and just wasn’t designed for the modern web. Indeed, the protocol predated the web by more than 15 years.

HTTP and HTTPS webpages may reference FTP resources just like other HTTP or HTTPS resources may be referenced. The referenced FTP resources may be used to load images from FTP locations or other content.

Firefox displays a warning in the browser’s Developer Tools if webpages attempt to load FTP subresources in an iframe. The warning reads: “Loading FTP subresource within http(s) page not allowed (Blocked loading of FTP URL)”.

The change won’t block direct FTP links on webpages and Firefox won’t block FTP addresses that users type or paste in the browser’s address bar either.


Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *