Mozilla will follow in the steps of Google Chrome and start blocking the loading of FTP subresources inside HTTP and HTTPS pages.

By FTP subresources, we refer to files loaded via the FTP protocol inside img, script, or iframe tags that have a src="ftp://".

FTP links placed inside normal < a >links or typed directly in the browser's address bar will continue to work.

The reasoning is that FTP is an insecure protocol that doesn't support modern encryption techniques and will inherently break many other built-in browser security and privacy features, such as HSTS, CSP, XSA, or others.

Furthermore, many malware distribution campaigns often rely on compromising FTP servers and redirecting or downloading malware on users' computers via FTP subresources.

FTP subresources to be blocked in Firefox 61

Mozilla engineers say FTP subresource blocking will ship with Firefox 61, currently scheduled for release on June 26.

Google took a similar decision to block the loading of FTP subresources last year, in September. Starting with Chrome 63, the browser started blocking FTP subresource loading, but also began marking FTP links accessed in the browser address bar as "Not Secure."

FTP marked as Not Secure in Chrome

Google said at the time that 0.0026% of all links loaded in the browser address bar were FTP links, a number likely to be very similar on Firefox as well.

The hints from both browser teams are that FTP support overall might soon be deprecated in both browsers due to security reasons, albeit neither Google nor Mozilla placed a deadline on such drastic measure.

Related Articles:

Mozilla Has Started Gradually Enabling TLS 1.3 in Firefox

Firefox Improves CSRF Protection With Support For Same-Site Cookies

Firefox Master Password System Has Been Poorly Secured for the Past 9 Years

Firefox 59 Released —Now Also Available for Amazon Fire TV

Group Policy Support Coming to Firefox 60