Security and the jar protocol
This article discusses security concerns with the
jar: protocol, which only Firefox has ever implemented for Web content.
Note: Support for the
jar: protocol was disabled by default for use from Web content beginning in Firefox 45, but re-enabled again because it broke the experience of IBM iNotes users. iNotes has since been updated so that it no longer needs remote
jars, so they have been disabled again in Firefox 55. You may re-enable the feature if necessary by setting the
network.jar.block-remote-files preference to
Java Archive (JAR) files are simply Zip compressed bundles of files. Firefox 22.214.171.124 (and Firefox 126.96.36.199) fixed a potential security issue in the same origin policy when the
jar: protocol was used to load data.
Prior to this change, specifying the
jar: protocol caused Firefox to assume that the file being retrieved is a JAR file, regardless of its MIME type (in other words, its MIME type was assumed to be
application/zip, regardless of what it actually was). This means that no matter what the file's real contents are, as far as Firefox is concerned, it was a Zip archive.
This ordinarily isn't a big deal, since site developers wouldn't put up dangerous files and set them up to download like Zip archives. However, if a site allows file uploads, Zip files are typically treated as relatively innocuous by web sites in that situation, since they're not executable.
Unless, of course, the browser thinks it's a JAR file.
So starting with Gecko 188.8.131.52 and 184.108.40.206, the
jar: protocol is only allowed if the MIME type of the file is
application/java-archive. A site that serves a file with that type is essentially promising that it has vetted the content and that it is in fact safe to download and execute. Any other file type results in an "Unsafe file type" error.