Security and the jar protocol

This article discusses security concerns with the jar: protocol, which only Firefox has ever implemented for Web content.

Note: Support for the jar: protocol was disabled by default for use from Web content beginning in Firefox 45, but re-enabled again because it broke the experience of IBM iNotes users. iNotes has since been updated so that it no longer needs remote jars, so they have been disabled again in Firefox 55. You may re-enable the feature if necessary by setting the network.jar.block-remote-files preference to false.

Java Archive (JAR) files are simply Zip compressed bundles of files. Firefox 2.0.0.10 (and Firefox 1.5.0.15) fixed a potential security issue in the same origin policy when the jar: protocol was used to load data.

Prior to this change, specifying the jar: protocol caused Firefox to assume that the file being retrieved is a JAR file, regardless of its MIME type (in other words, its MIME type was assumed to be application/zip, regardless of what it actually was). This means that no matter what the file's real contents are, as far as Firefox is concerned, it was a Zip archive.

This ordinarily isn't a big deal, since site developers wouldn't put up dangerous files and set them up to download like Zip archives. However, if a site allows file uploads, Zip files are typically treated as relatively innocuous by web sites in that situation, since they're not executable.

Unless, of course, the browser thinks it's a JAR file.

So starting with Gecko 1.8.0.15 and 1.8.1.10, the jar: protocol is only allowed if the MIME type of the file is application/java-archive. A site that serves a file with that type is essentially promising that it has vetted the content and that it is in fact safe to download and execute. Any other file type results in an "Unsafe file type" error.