Mozilla will follow in the steps of Google Chrome and start blocking the loading of FTP subresources inside HTTP and HTTPS pages.

By FTP subresources, we refer to files loaded via the FTP protocol inside img, script, or iframe tags that have a src="ftp://".

FTP links placed inside normal < a >links or typed directly in the browser's address bar will continue to work.

The reasoning is that FTP is an insecure protocol that doesn't support modern encryption techniques and will inherently break many other built-in browser security and privacy features, such as HSTS, CSP, XSA, or others.

Furthermore, many malware distribution campaigns often rely on compromising FTP servers and redirecting or downloading malware on users' computers via FTP subresources.

FTP subresources to be blocked in Firefox 61

Mozilla engineers say FTP subresource blocking will ship with Firefox 61, currently scheduled for release on June 26.

Google took a similar decision to block the loading of FTP subresources last year, in September. Starting with Chrome 63, the browser started blocking FTP subresource loading, but also began marking FTP links accessed in the browser address bar as "Not Secure."

FTP marked as Not Secure in Chrome

Google said at the time that 0.0026% of all links loaded in the browser address bar were FTP links, a number likely to be very similar on Firefox as well.

The hints from both browser teams are that FTP support overall might soon be deprecated in both browsers due to security reasons, albeit neither Google nor Mozilla placed a deadline on such drastic measure.

Related Articles:

Mozilla Firefox 64.0 Released - Here's What's New

Mozilla Announces a Native ARM64 version of Firefox

Mozilla to Provide MSI Installers Starting with Firefox 65

Mozilla Firefox Expands DNS-over-HTTPS (DoH) Test to Release Channel

Mozilla Overhauls Content Blocking Settings in Firefox 65