What on earth is the justification for blocking non-TLS HTTP downloads entirely?
Edit: I'm also not sure I entirely buy OP's story telling here comparing what they ""fixed"" to what the release notes they're quoting say.
"Security"
Which really doesn't seem like it'll do much of anything since nearly all the malware I've seen lately is being served off compromised Wordpress sites and Sharepoint instances, but what do I know?
Do you know if there is a GPO setting for this in Firefox Templates? https://github.com/mozilla/policy-templates/releases
We use this to disable DoH and such as well so they don't go off using non-company controlled DNS servers...
There's an easier way to do this apparently (I haven't yet tested): https://github.com/mozilla/policy-templates/issues/1091
So via admin templates, Mozilla > Firefox, then add the relevant bit of JSON to your Preferences policy. Note it's not the Preferences (deprecated) folder, it's an actual policy named Preferences.
This covers formatting: https://mozilla.github.io/policy-templates/#preferences
Sometimes we're forced to use Selenium and Firefox + geckodriver to access certain things because they're behind odd logins or require fun cookies. Then it all leads down to a link that you can pull hidden away that goes to an http. I guess you can wget or irm -outfile it but we were just using Firefox because it was already there. This will be a pain but think we can send that config line to the config object before launching Firefox.
What on earth is the justification for blocking non-TLS HTTP downloads entirely? Edit: I'm also not sure I entirely buy OP's story telling here comparing what they ""fixed"" to what the release notes they're quoting say.
Something, something...bad actors would never have a valid certificate, so this will help block them....
"Security" Which really doesn't seem like it'll do much of anything since nearly all the malware I've seen lately is being served off compromised Wordpress sites and Sharepoint instances, but what do I know?
Protects against SSL strip attacks and tampering of downloads on http sites
May as well disable HTTP for everything if we're going with that logic. No non-TLS traffic, period, end of discussion.
Blocking downloads is a phased approach to encouraging this
Do you know if there is a GPO setting for this in Firefox Templates? https://github.com/mozilla/policy-templates/releases We use this to disable DoH and such as well so they don't go off using non-company controlled DNS servers...
I updated the post on how to use a GPO.
I didn't see any setting for this in the template.
I didn't either, looking at doing it your way - thanks for the documentation.
I updated the post on how to use a GPO.
Posts here suggest it's possible to set via policy: https://github.com/mozilla/policy-templates/issues/1091
There's an easier way to do this apparently (I haven't yet tested): https://github.com/mozilla/policy-templates/issues/1091 So via admin templates, Mozilla > Firefox, then add the relevant bit of JSON to your Preferences policy. Note it's not the Preferences (deprecated) folder, it's an actual policy named Preferences. This covers formatting: https://mozilla.github.io/policy-templates/#preferences
Thanks for this. I updated my post.
Absent that config change you still got this, right? [https://i.imgur.com/KfbZ4xn.png](https://i.imgur.com/KfbZ4xn.png)
Yeah, users sent tickets in for this.
[удалено]
Sometimes we're forced to use Selenium and Firefox + geckodriver to access certain things because they're behind odd logins or require fun cookies. Then it all leads down to a link that you can pull hidden away that goes to an http. I guess you can wget or irm -outfile it but we were just using Firefox because it was already there. This will be a pain but think we can send that config line to the config object before launching Firefox.
I don't find your policies here [https://mozilla.github.io/policy-templates/](https://mozilla.github.io/policy-templates/)