HTTP/2 200
x-backend-server: bedrock-5455fcf68c-7xksv.gcp-us-west1
server: granian
x-content-type-options: nosniff
cache-control: max-age=600
strict-transport-security: max-age=31536000
etag: "0229249dd4646458629e0d6079b17991"
expires: Thu, 16 Oct 2025 13:12:46 GMT
content-language: en-US
content-type: text/html; charset=utf-8
content-security-policy: object-src 'none'; form-action 'self' https://accounts.firefox.com/ https://basket.mozilla.org; style-src 'self' 'unsafe-inline' www.mozilla.org; img-src 'self' blog.mozilla.org data: images.ctfassets.net www.google-analytics.com www.googletagmanager.com www.mozilla.org; frame-ancestors 'none'; default-src 'self' *.mozilla.org; font-src 'self' www.mozilla.org; script-src 'self' 'unsafe-eval' 'unsafe-inline' js.stripe.com s.ytimg.com tagmanager.google.com www.google-analytics.com www.googletagmanager.com www.mozilla.org www.youtube.com; connect-src 'self' https://accounts.firefox.com/ https://basket.mozilla.org o1069899.ingest.sentry.io o1069899.sentry.io region1.google-analytics.com www.google-analytics.com www.googletagmanager.com www.mozilla.org/submit/bedrock/; upgrade-insecure-requests; media-src 'self' assets.mozilla.net videos.cdn.mozilla.net www.mozilla.org; base-uri 'none'; frame-src 'self' accounts.firefox.com js.stripe.com www.google-analytics.com www.googletagmanager.com www.youtube.com
content-security-policy-report-only: object-src 'none'; form-action 'self' https://accounts.firefox.com/ https://basket.mozilla.org; style-src 'self' www.mozilla.org; img-src 'self' blog.mozilla.org data: images.ctfassets.net www.google-analytics.com www.googletagmanager.com www.mozilla.org; frame-ancestors 'none'; default-src 'self' *.mozilla.org; font-src 'self' www.mozilla.org; script-src 'self' 'unsafe-eval' 'unsafe-inline' js.stripe.com s.ytimg.com tagmanager.google.com www.google-analytics.com www.googletagmanager.com www.mozilla.org www.youtube.com; connect-src 'self' https://accounts.firefox.com/ https://basket.mozilla.org o1069899.ingest.sentry.io o1069899.sentry.io region1.google-analytics.com www.google-analytics.com www.googletagmanager.com www.mozilla.org/submit/bedrock/; upgrade-insecure-requests; media-src 'self' assets.mozilla.net videos.cdn.mozilla.net www.mozilla.org; base-uri 'none'; frame-src 'self' accounts.firefox.com js.stripe.com www.google-analytics.com www.googletagmanager.com www.youtube.com
cross-origin-opener-policy: same-origin
x-clacks-overhead: GNU Terry Pratchett
x-frame-options: DENY
via: 1.1 google, 1.1 varnish, 1.1 varnish
referrer-policy: strict-origin-when-cross-origin
content-encoding: gzip
accept-ranges: bytes
age: 0
date: Thu, 16 Oct 2025 13:02:46 GMT
x-served-by: cache-bom-vanm7210076-BOM, cache-bom-vanm7210082-BOM
x-cache: MISS, MISS
x-cache-hits: 0, 0
x-timer: S1760619766.222593,VS0,VE383
vary: Accept-Encoding
content-length: 7229
File: protocol links downloaded to SD card by default — Mozilla
Help us improve your Mozilla experience
In addition to Cookies necessary for this site to function, we’d like your permission to set some additional Cookies to better understand your browsing needs and improve your experience. Rest assured — we value your privacy.
Accept All Additional Cookies
Reject All Additional Cookies
Cookie settings
Mozilla Foundation Security Advisory 2014-33
File: protocol links downloaded to SD card by default
Announced
March 25, 2014
Reporter
Roee Hay
Impact
High Products
Firefox
Fixed in
Description
Security researcher Roee Hay reported that a hyperlink using
the file: protocol on Firefox for Android could link to a local
file in the Firefox profile directory. If a user selected this link on their
device, the linked file would be copied to the SD card without prompting.
This SD card location is world readable leading to a potential information
disclosure of files in the Firefox profile through a malicious application.
References
