This article discusses security concerns with the jar:
protocol, which only Firefox has ever implemented for Web content.
Support for the jar:
protocol has been disabled by default for use from Web content beginning in Firefox 45. You may re-enable it if necessary by setting the network.jar.block-remote-files
preference to false
.
Java Archive (JAR) files are simply Zip compressed bundles of files. Firefox 2.0.0.10 (and Firefox 1.5.0.15) fixed a potential security issue in the same origin policy when the jar:
protocol was used to load data.
Prior to this change, specifying the jar:
protocol caused Firefox to assume that the file being retrieved is a JAR file, regardless of its MIME type (in other words, its MIME type was assumed to be application/zip
, regardless of what it actually was). This means that no matter what the file's real contents are, as far as Firefox is concerned, it was a Zip archive.
This ordinarily isn't a big deal, since site developers wouldn't put up dangerous files and set them up to download like Zip archives. However, if a site allows file uploads, Zip files are typically treated as relatively innocuous by web sites in that situation, since they're not executable.
Unless, of course, the browser thinks it's a JAR file.
So starting with Gecko 1.8.0.15 and 1.8.1.10, the jar:
protocol is only allowed if the MIME type of the file is application/java-archive
. A site that serves a file with that type is essentially promising that it has vetted the content and that it is in fact safe to download and execute. Any other file type results in an "Unsafe file type" error.